password-protected ssh private key [FIXED]
password-protected ssh private key [FIXED]
Hi!
I'm not able to use my password-protected private ssh key to connect to an sftp (ssh) server. Connecting with a private ssh key which is not password-protected works well.
There's a red exclamation sign next to the "password" field, and it doesn't go away. If possible, it would be ideal if you could use the ssh-agent running on the host?
I'm not able to use my password-protected private ssh key to connect to an sftp (ssh) server. Connecting with a private ssh key which is not password-protected works well.
There's a red exclamation sign next to the "password" field, and it doesn't go away. If possible, it would be ideal if you could use the ssh-agent running on the host?
Re: password-protected ssh private key
Hi,
The red exclamation mark signals that NC wasn't able to 'open' the key file with the provided password.
Could you provide more information about this key file?
The system's ssh-agent sounds interesting, I haven't thought about it before.
The red exclamation mark signals that NC wasn't able to 'open' the key file with the provided password.
Could you provide more information about this key file?
The system's ssh-agent sounds interesting, I haven't thought about it before.
Re: password-protected ssh private key
Sorry the notifications were not enabled by default, I wasn't aware that there was a response.
The exclamation sign makes sense and does work in case the private key is not password protected.
However, the same private key, with the same path and everything else, only password protected cannot be used at all by Nimble Commander.
BTW, I hope this gets resolved in the next release. I bought NC (actually the company paid for it ) and it was working perfectly until the company imposed the rules for the password protected private ssh keys. I work around the limitation at the moment by using sshfs, but as you can imagine, this is not the most optimal approach.
The exclamation sign makes sense and does work in case the private key is not password protected.
However, the same private key, with the same path and everything else, only password protected cannot be used at all by Nimble Commander.
Code: Select all
» ls -l ~/.ssh/id_rsa
-rw------- 1 sat staff 3410 May 3 13:58 /Users/sat/.ssh/id_rsa
Re: password-protected ssh private key
Not sure I understand what is going on.
There are basically 3 scenarios in NC when connecting to SSH:
- login + password;
- login + private_key;
- login + private_key + private_key_password (uses the same 'Password' field).
The exclamation mark should appear only in the 3rd case, when the provided key password does not unlock the private key.
Are you providing a password for the private key and not for the server (as in the 1st scenario)?
If that is the case - please provide some info about your configuration so I can try to reproduce it on my side.
There are basically 3 scenarios in NC when connecting to SSH:
- login + password;
- login + private_key;
- login + private_key + private_key_password (uses the same 'Password' field).
The exclamation mark should appear only in the 3rd case, when the provided key password does not unlock the private key.
Are you providing a password for the private key and not for the server (as in the 1st scenario)?
If that is the case - please provide some info about your configuration so I can try to reproduce it on my side.
Re: password-protected ssh private key
That's correct, the 1st and 2nd scenario work as they should, but the 3rd scenario doesn't.
The password I provided is for the private key (100%, since I provide the same password to the ssh-agent)
I just tried the following tests, ranging from RSA 4096 bit (which I use), down to 1024 bit, and then using the default strength. Then I tested with DSA, ECDSA, and ED25519. Neither worked in NC
The password provided in all cases was "testpassword", which doesn't have any special characters.
The password I provided is for the private key (100%, since I provide the same password to the ssh-agent)
I just tried the following tests, ranging from RSA 4096 bit (which I use), down to 1024 bit, and then using the default strength. Then I tested with DSA, ECDSA, and ED25519. Neither worked in NC
The password provided in all cases was "testpassword", which doesn't have any special characters.
Code: Select all
sat@impala ~ » ssh-keygen -b 4096 -f id_rsa_test -P testpassword
Generating public/private rsa key pair.
Your identification has been saved in id_rsa_test.
Your public key has been saved in id_rsa_test.pub.
The key fingerprint is:
SHA256:lZycBLsvcRyhZcQTsa7VjZLRgqhMYbTXaKvgzMW8cl0 sat@impala
The key's randomart image is:
+---[RSA 4096]----+
| .+ .+Oo |
| . o + XoB |
| o = = %.. |
| = + . = * o |
| . * . E B o . |
| + o + . * . |
| = + . o . |
| o . |
| |
+----[SHA256]-----+
sat@impala ~ » ssh-keygen -b 1024 -f id_rsa_test1024 -P testpassword
Generating public/private rsa key pair.
Your identification has been saved in id_rsa_test1024.
Your public key has been saved in id_rsa_test1024.pub.
The key fingerprint is:
SHA256:myeVDYakHCjqSYCdSkAk/rjB1QWHK1cOgjIeUP5rQ4g sat@impala
The key's randomart image is:
+---[RSA 1024]----+
|X=o. o+o. |
|B=+.o+o= . |
|==oo..B . o |
|++++ o . . + |
|E+o.= S o . |
| oo. . + |
| . + + . |
| . . o |
| |
+----[SHA256]-----+
sat@impala ~ » ssh-keygen -b 2048 -f id_rsa_test2048 -P testpassword
Generating public/private rsa key pair.
Your identification has been saved in id_rsa_test2048.
Your public key has been saved in id_rsa_test2048.pub.
The key fingerprint is:
SHA256:y6a8NO6+ObexF6Ia7AY0g2q2c7ZCNrSIZo/v9DfT8j8 sat@impala
The key's randomart image is:
+---[RSA 2048]----+
| |
| |
| . |
|..+ |
|=..o S |
|+X.. .... |
|B =oo o.*. . |
| =.=o=oX.+.E |
| B=+=@=B+... |
+----[SHA256]-----+
sat@impala ~ » ssh-keygen -f id_rsa_test_default -P testpassword
Generating public/private rsa key pair.
Your identification has been saved in id_rsa_test_default.
Your public key has been saved in id_rsa_test_default.pub.
The key fingerprint is:
SHA256:shfKIFPxE+RWijL5900sgxXXHx8vFrL8uWRonWPZOKs sat@impala
The key's randomart image is:
+---[RSA 2048]----+
| ..o o .. |
| . = + o o o. |
| + o * . . + +o|
| = . + . o + o|
| o o + S o = B |
| o + = * o & .|
| + o .. + = |
| . o |
| E. |
+----[SHA256]-----+
sat@impala ~ » ssh-keygen -b 1024 -t dsa -f id_dsa -P testpassword 1 ↵
Generating public/private dsa key pair.
Your identification has been saved in id_dsa.
Your public key has been saved in id_dsa.pub.
The key fingerprint is:
SHA256:lHX0vP3hLq5Z/J1axkxm7z9znMGciQntCB2yEZTFtZg sat@impala
The key's randomart image is:
+---[DSA 1024]----+
| .o*o+. |
| * +oo. |
| o =Eo.o |
| . o o . o |
| S . + *=+|
| ..+B*+|
| o B=|
| o.===|
| oooo+O|
+----[SHA256]-----+
sat@impala ~ » ssh-keygen -t ecdsa -f id_dsa -P testpassword 255 ↵
Generating public/private ecdsa key pair.
id_dsa already exists.
Overwrite (y/n)? y
Your identification has been saved in id_dsa.
Your public key has been saved in id_dsa.pub.
The key fingerprint is:
SHA256:lAhBKF++b6LVrqfCN5DvvcALAjxFCqLt1HZE2fB8N6o sat@impala
The key's randomart image is:
+---[ECDSA 256]---+
|o ++o++ |
|=.+..o.+.. |
|.+o+o o = . o |
|.oo... . . o . |
|.o.. . S . |
|. +... . |
|...o+.. E |
| .oo==+ |
| .==B+. |
+----[SHA256]-----+
sat@impala ~ » ssh-keygen -t ed25519 -f id_dsa -P testpassword
Generating public/private ed25519 key pair.
id_dsa already exists.
Overwrite (y/n)? y
Your identification has been saved in id_dsa.
Your public key has been saved in id_dsa.pub.
The key fingerprint is:
SHA256:yR2gPFjhlrdzYflL+o2btZmnq5c7OHlQNnNvK/JHhaA sat@impala
The key's randomart image is:
+--[ED25519 256]--+
| o.. |
| = o . .. |
| . B . =. . . |
| . + =E+ * o|
| S o oo +o|
| o o.. .o|
| . .+oo.|
| o+*=*.|
| OB@* |
+----[SHA256]-----+
sat@impala ~ » ssh -V
OpenSSH_7.9p1, LibreSSL 2.7.3
Re: password-protected ssh private key
Thank you for the extensive examples, that was very helpful!
I found and fixed the issue, it was in the 'new' (relatively speaking) key file format.
Now all these kinds of keys do work, with one exception of ED25519.
I found and fixed the issue, it was in the 'new' (relatively speaking) key file format.
Now all these kinds of keys do work, with one exception of ED25519.
Re: password-protected ssh private key
Thanks Mike! I'm looking forward to the new version!
Also, would be awesome if you could add support for ssh-agent, since it handles passwords in the most secure way possible. My understanding is that NC currently stores passwords in plain text...
Also, would be awesome if you could add support for ssh-agent, since it handles passwords in the most secure way possible. My understanding is that NC currently stores passwords in plain text...
Re: password-protected ssh private key
Oh, absolutely not. Or, at least, let's say, I'd very surprised if it does
NC uses Keychain services from macOS to store and retrieve passwords when needed.
NC uses Keychain services from macOS to store and retrieve passwords when needed.
Re: password-protected ssh private key
Thanks, it's very good to know that our passwords are not stored in plain text!
Re: password-protected ssh private key
ED25519 now works as well.