password-protected ssh private key

Questions, glitches, bugs and crashes
Post Reply
sshtmc
Posts: 5
Joined: Wed Jun 19, 2019 10:19 am

password-protected ssh private key

Post by sshtmc » Wed Jun 19, 2019 10:25 am

Hi!

I'm not able to use my password-protected private ssh key to connect to an sftp (ssh) server. Connecting with a private ssh key which is not password-protected works well.
There's a red exclamation sign next to the "password" field, and it doesn't go away.
Screenshot 2019-06-19 at 12.24.12.png
Screenshot 2019-06-19 at 12.24.12.png (98.71 KiB) Viewed 377 times
If possible, it would be ideal if you could use the ssh-agent running on the host?

User avatar
mike
Posts: 800
Joined: Thu Jul 16, 2015 5:35 am
Location: Exeter, UK

Re: password-protected ssh private key

Post by mike » Sat Jun 22, 2019 7:52 pm

Hi,

The red exclamation mark signals that NC wasn't able to 'open' the key file with the provided password.
Could you provide more information about this key file?

The system's ssh-agent sounds interesting, I haven't thought about it before.

sshtmc
Posts: 5
Joined: Wed Jun 19, 2019 10:19 am

Re: password-protected ssh private key

Post by sshtmc » Tue Jul 02, 2019 2:23 pm

Sorry the notifications were not enabled by default, I wasn't aware that there was a response.

The exclamation sign makes sense and does work in case the private key is not password protected.
However, the same private key, with the same path and everything else, only password protected cannot be used at all by Nimble Commander. :(

Code: Select all

» ls -l ~/.ssh/id_rsa
-rw-------  1 sat  staff  3410 May  3 13:58 /Users/sat/.ssh/id_rsa
BTW, I hope this gets resolved in the next release. I bought NC (actually the company paid for it :) ) and it was working perfectly until the company imposed the rules for the password protected private ssh keys. I work around the limitation at the moment by using sshfs, but as you can imagine, this is not the most optimal approach.

User avatar
mike
Posts: 800
Joined: Thu Jul 16, 2015 5:35 am
Location: Exeter, UK

Re: password-protected ssh private key

Post by mike » Wed Jul 03, 2019 6:45 pm

Not sure I understand what is going on.

There are basically 3 scenarios in NC when connecting to SSH:
- login + password;
- login + private_key;
- login + private_key + private_key_password (uses the same 'Password' field).

The exclamation mark should appear only in the 3rd case, when the provided key password does not unlock the private key.
Are you providing a password for the private key and not for the server (as in the 1st scenario)?

If that is the case - please provide some info about your configuration so I can try to reproduce it on my side.

sshtmc
Posts: 5
Joined: Wed Jun 19, 2019 10:19 am

Re: password-protected ssh private key

Post by sshtmc » Fri Jul 05, 2019 9:39 am

That's correct, the 1st and 2nd scenario work as they should, but the 3rd scenario doesn't.
The password I provided is for the private key (100%, since I provide the same password to the ssh-agent)

I just tried the following tests, ranging from RSA 4096 bit (which I use), down to 1024 bit, and then using the default strength. Then I tested with DSA, ECDSA, and ED25519. Neither worked in NC
The password provided in all cases was "testpassword", which doesn't have any special characters.

Code: Select all

sat@impala ~ » ssh-keygen -b 4096 -f id_rsa_test -P testpassword
Generating public/private rsa key pair.
Your identification has been saved in id_rsa_test.
Your public key has been saved in id_rsa_test.pub.
The key fingerprint is:
SHA256:lZycBLsvcRyhZcQTsa7VjZLRgqhMYbTXaKvgzMW8cl0 sat@impala
The key's randomart image is:
+---[RSA 4096]----+
|   .+   .+Oo     |
|   . o + XoB     |
|    o = = %..    |
|   = + . = * o   |
|  . * . E B o .  |
| + o + . * .     |
|  = + . o .      |
|   o     .       |
|                 |
+----[SHA256]-----+
sat@impala ~ » ssh-keygen -b 1024 -f id_rsa_test1024 -P testpassword
Generating public/private rsa key pair.
Your identification has been saved in id_rsa_test1024.
Your public key has been saved in id_rsa_test1024.pub.
The key fingerprint is:
SHA256:myeVDYakHCjqSYCdSkAk/rjB1QWHK1cOgjIeUP5rQ4g sat@impala
The key's randomart image is:
+---[RSA 1024]----+
|X=o. o+o.        |
|B=+.o+o= .       |
|==oo..B . o      |
|++++ o . . +     |
|E+o.=   S o .    |
| oo. .   +       |
| .  +   + .      |
|   . .   o       |
|                 |
+----[SHA256]-----+
sat@impala ~ » ssh-keygen -b 2048 -f id_rsa_test2048 -P testpassword
Generating public/private rsa key pair.
Your identification has been saved in id_rsa_test2048.
Your public key has been saved in id_rsa_test2048.pub.
The key fingerprint is:
SHA256:y6a8NO6+ObexF6Ia7AY0g2q2c7ZCNrSIZo/v9DfT8j8 sat@impala
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
| .               |
|..+              |
|=..o    S        |
|+X..   ....      |
|B =oo o.*. .     |
| =.=o=oX.+.E     |
|  B=+=@=B+...    |
+----[SHA256]-----+
sat@impala ~ » ssh-keygen -f id_rsa_test_default -P testpassword
Generating public/private rsa key pair.
Your identification has been saved in id_rsa_test_default.
Your public key has been saved in id_rsa_test_default.pub.
The key fingerprint is:
SHA256:shfKIFPxE+RWijL5900sgxXXHx8vFrL8uWRonWPZOKs sat@impala
The key's randomart image is:
+---[RSA 2048]----+
|    ..o o ..     |
|   . = + o  o o. |
|  + o * .  . + +o|
|   = . + .  o + o|
|  o o + S o  = B |
|   o + = *  o & .|
|      + o .. + = |
|       .      o  |
|            E.   |
+----[SHA256]-----+
sat@impala ~ » ssh-keygen -b 1024 -t dsa -f id_dsa -P testpassword                                                                                                             1 ↵
Generating public/private dsa key pair.
Your identification has been saved in id_dsa.
Your public key has been saved in id_dsa.pub.
The key fingerprint is:
SHA256:lHX0vP3hLq5Z/J1axkxm7z9znMGciQntCB2yEZTFtZg sat@impala
The key's randomart image is:
+---[DSA 1024]----+
|        .o*o+.   |
|         * +oo.  |
|        o =Eo.o  |
|       . o o . o |
|        S . + *=+|
|           ..+B*+|
|             o B=|
|            o.===|
|           oooo+O|
+----[SHA256]-----+
sat@impala ~ » ssh-keygen -t ecdsa -f id_dsa -P testpassword                                                                                                                 255 ↵
Generating public/private ecdsa key pair.
id_dsa already exists.
Overwrite (y/n)? y
Your identification has been saved in id_dsa.
Your public key has been saved in id_dsa.pub.
The key fingerprint is:
SHA256:lAhBKF++b6LVrqfCN5DvvcALAjxFCqLt1HZE2fB8N6o sat@impala
The key's randomart image is:
+---[ECDSA 256]---+
|o  ++o++         |
|=.+..o.+..       |
|.+o+o o = . o    |
|.oo... . . o .   |
|.o.. .  S .      |
|. +...   .       |
|...o+.. E        |
| .oo==+          |
|  .==B+.         |
+----[SHA256]-----+
sat@impala ~ » ssh-keygen -t ed25519 -f id_dsa -P testpassword
Generating public/private ed25519 key pair.
id_dsa already exists.
Overwrite (y/n)? y
Your identification has been saved in id_dsa.
Your public key has been saved in id_dsa.pub.
The key fingerprint is:
SHA256:yR2gPFjhlrdzYflL+o2btZmnq5c7OHlQNnNvK/JHhaA sat@impala
The key's randomart image is:
+--[ED25519 256]--+
|      o..        |
|     = o . ..    |
|    . B . =. . . |
|     . + =E+  * o|
|        S o oo +o|
|         o o.. .o|
|          . .+oo.|
|           o+*=*.|
|            OB@* |
+----[SHA256]-----+

sat@impala ~ » ssh -V
OpenSSH_7.9p1, LibreSSL 2.7.3

User avatar
mike
Posts: 800
Joined: Thu Jul 16, 2015 5:35 am
Location: Exeter, UK

Re: password-protected ssh private key

Post by mike » Fri Jul 05, 2019 8:57 pm

Thank you for the extensive examples, that was very helpful!

I found and fixed the issue, it was in the 'new' (relatively speaking) key file format.
Now all these kinds of keys do work, with one exception of ED25519.

sshtmc
Posts: 5
Joined: Wed Jun 19, 2019 10:19 am

Re: password-protected ssh private key

Post by sshtmc » Mon Jul 08, 2019 11:22 am

Thanks Mike! I'm looking forward to the new version!

Also, would be awesome if you could add support for ssh-agent, since it handles passwords in the most secure way possible. My understanding is that NC currently stores passwords in plain text...

User avatar
mike
Posts: 800
Joined: Thu Jul 16, 2015 5:35 am
Location: Exeter, UK

Re: password-protected ssh private key

Post by mike » Mon Jul 08, 2019 6:11 pm

Oh, absolutely not. Or, at least, let's say, I'd very surprised if it does :)

NC uses Keychain services from macOS to store and retrieve passwords when needed.

sshtmc
Posts: 5
Joined: Wed Jun 19, 2019 10:19 am

Re: password-protected ssh private key

Post by sshtmc » Mon Jul 15, 2019 11:04 am

Thanks, it's very good to know that our passwords are not stored in plain text! :)

Post Reply