Re: ssh2 key passphrase problems in 2.9.9 on Linux

Fri, 28 Sep 2001 14:52:21 -0700 

Phil Stracchino wrote:
> 
> On Fri, Sep 28, 2001 at 11:00:25AM -0700, Phil Stracchino wrote:
> > On Fri, Sep 28, 2001 at 06:21:26PM +0100, Dr S N Henson wrote:
> > > Read the bit in the FAQ about adding an ERR_print_errors_fp() call then
> > > see what it says is the cause.
> 
> I tried using ERR_print_errors_fp() in the appropriate location and it
> reported nothing.  I therefore took a slightly different tack.  I changed
> the error detection code in key_load_private_pem() in authfile.c from
> this:
> 
>         pk = PEM_read_PrivateKey(fp, NULL, NULL, (char *)passphrase);
>         if (pk == NULL) {
>                 debug("PEM_read_PrivateKey failed");
>                 (void)ERR_get_error();
>         } else if (pk->type == EVP_PKEY_RSA && ....
> 
> to this:
> 
>         pk = PEM_read_PrivateKey(fp, NULL, NULL, (char *)passphrase);
>         if (pk == NULL) {
>                 error("PEM_read_PrivateKey failed");
>                 while (ERR_peek_error())
>                   error("PEM error %ld: %s",
>                         ERR_peek_error(),
>                         ERR_error_string(ERR_get_error(), NULL));
>         } else if (pk->type == EVP_PKEY_RSA && ....
> 
> Right up to the point at which that PEM_read_PrivateKey() call is
> executed, everything appears to be working perfectly.  At the moment of
> making this call:
> 
>   filename is "/root/.ssh/id_dsa"
>   passphrase contains the correct password
>   fp is valid, and _IO_read_base points at the string:
>     "-----BEGIN DSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\n
>      DEK-Info: DES-EDE3-CBC,<data....>"
> 
> The passphrase supplied is known to be correct, and successfully unlocks
> this keyfile on a Solaris 8 machine which is running the same version of
> both OpenSSH and OpenSSL.  Nevertheless, PEM_read_PrivateKey returns NULL,
> but according to ERR_peek_error(), no error has occurred.  I am unable to
> trace into the PEM_read_PrivateKey() call using gdb.
> 

Strange, it should produce an error of some sort. See what happens if
you remove the pass phrase on the private key (using the rsa utility)
and also see if you get an error when you supply an incorrect pass
phrase.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to