Phil Stracchino wrote:
>
> On Fri, Sep 28, 2001 at 11:21:43PM +0100, Dr S N Henson wrote:
> > Strange, it should produce an error of some sort. See what happens if
> > you remove the pass phrase on the private key (using the rsa utility)
> > and also see if you get an error when you supply an incorrect pass
> > phrase.
>
> babylon5:root:~/.ssh:11 # openssl rsa -passin stdin -in id_rsa -out rsa_nopass
> <********>
> read RSA key
> unable to load key
> babylon5:root:~/.ssh:12 # openssl dsa -passin stdin -in id_dsa -out dsa_nopass
> <********>
> read DSA key
> unable to load Key
> babylon5:root:~/.ssh:13 # ssh-add id_dsa
> PEM_read_PrivateKey failed
> Enter passphrase for id_dsa: <********>
> PEM_read_PrivateKey failed
> Bad passphrase, try again: foo
> PEM_read_PrivateKey failed
> Bad passphrase, try again: bar
> PEM_read_PrivateKey failed
> Bad passphrase, try again:
> babylon5:root:~/.ssh:14 #
>
> It appears to me as though what's happening is that it's not encountering
> any execution errors, but it's somehow failing to decrypt the key with the
> correct passphrase and treating it as just another incorrect passphrase.
>
Well if this is the version that you modified to print out error
messages then there's another problem. I suggest you change that part
you mentioned earlier to:
pk = PEM_read_PrivateKey(fp, NULL, NULL, (char *)passphrase);
if (pk == NULL) {
error("PEM_read_PrivateKey failed");
ERR_print_errors_fp(stderr);
} else if (pk->type == EVP_PKEY_RSA && ....
then do the tests before. Also add another ERR_print_errors_fp(stderr)
where it prints out "unable to load key".
> As an experiment, I tried generating a test key using openssl rather than
> ssh-keygen, using the following command:
>
> openssl genrsa -rand /dev/random:random_seed -F4 128
>
> This command has so far run for ten minutes without producing any output,
> generating any visible system activity, or consuming any CPU time as
> reported by top. (My intention was to verify, one step at a time, that I
> could create an encrypted key directly using openssl and then remove the
> passphrase from it.) Am I using genrsa incorrectly, or is this as bad a
> sign as I think it is?
>
Yes that is wrong. It will read until EOF which will never happen with
/dev/random. You shouldn't need a -rand argument under Linux anyway.
This is starting to look like a compiler bug.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
