1

I've been trying out phpseclib, to run a simple SSH session to various cloud servers. Each time using key login.

A test with key that has no password protection is fine: I tried one on standard port 22, then another on a non-standard port, and both worked. (Both are on Amazon EC2, different regions.)

But the first test I tried failed, with:

SSH_MSG_USERAUTH_FAILURE: publickey,password

It has a password-protected key, with a non-standard port. Here is my script (with names changed to protect the innocent):

include('Net/SSH2.php');
include('Crypt/RSA.php');

$ssh = new Net_SSH2('10.1.2.3', /*port*/999);
$key = new Crypt_RSA();

$key->setPassword('secrets');
$ret = $key->loadKey(file_get_contents('/home/tester/.ssh/my_private_key'));
if(!$ret){
    echo "loadKey failed\n";
    exit;
    }

if (!$ssh->login('ubuntu', $key)) {
    print_r($ssh->errors);
    exit("Login Failed\n");
    }

echo $ssh->exec('pwd');
echo $ssh->exec('ls -la');

I did ssh-agent -d /home/tester/.ssh/my_private_key (to force it to prompt me), then used ssh on the commandline, and it worked. And if I skip setting a password, the loadKey() returns false.

So, now I'm wondering if the type of key is not supported? The "bad" key starts like this:

-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A541E5B6B9077483BCEF845

YMMV4.....

whereas the "good" keys start with:

-----BEGIN RSA PRIVATE KEY-----
YMMVgIBab54...

I found this question where the Proc-Type and DEK-Info appear to be fine, but his is RSA, not DSA. So is DSA the problem? (But if so, shouldn't phpseclib have complained when I tried to do loadKey()?)

Any suggestions about how I can get more information on the problem? (Without posting the actual keys here!)

Community
  • 1
  • 1
Darren Cook
  • 27,837
  • 13
  • 117
  • 217
  • What version of phpseclib are you using? Also, OpenSSH will normally error out unless `/home/tester/.ssh/my_private_key` has 700 permissions, so unless phpseclib is running as user `tester` it might not be able to read the key. Is `file_get_contents` able to read the key? – neubert Aug 08 '14 at 19:29
  • @neubert Good idea, but that is fine (the working and not-working keys have the same 0400 permissions, under the .ssh of the user running the script). – Darren Cook Aug 08 '14 at 19:53
  • P.S. Latest phpseclib: 0.3.7 – Darren Cook Aug 08 '14 at 19:54

2 Answers2

5

To answer the "how to troubleshoot" part of my question, you can add define('NET_SSH2_LOGGING', NET_SSH2_LOG_COMPLEX); just before creating your Net_SSH2 object. Then just before exiting do file_put_contents("ssh.log",$ssh->getLog()); (or echo $ssh->getLog()). This makes a log of every byte sent to the remote server, and every byte received. (The full modified script is below.)

Unfortunately, you'd have to be a domain expert to use this to recognize the problem as using a DSA key when only RSA is supported. However, for other problems this troubleshooting approach might be just what you need.

include('Net/SSH2.php');
include('Crypt/RSA.php');

define('NET_SSH2_LOGGING', NET_SSH2_LOG_COMPLEX);
$ssh = new Net_SSH2('10.1.2.3', /*port*/999);
$key = new Crypt_RSA();

$key->setPassword('secrets');
$ret = $key->loadKey(file_get_contents('/home/tester/.ssh/my_private_key'));
if(!$ret){
    echo "loadKey failed\n";
    file_put_contents("ssh.log",$ssh->getLog());
    exit;
    }

if (!$ssh->login('ubuntu', $key)) {
    print_r($ssh->errors);
    file_put_contents("ssh.log",$ssh->getLog());
    exit("Login Failed\n");
    }

echo $ssh->exec('pwd');
echo $ssh->exec('ls -la');
file_put_contents("ssh.log",$ssh->getLog());
Darren Cook
  • 27,837
  • 13
  • 117
  • 217
1
-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A541E5B6B9077483BCEF845

YMMV4.....

That's a DSA key. phpseclib currently only supports RSA keys. And even if it did support DSA keys you'd probably have to load it with a yet-to-be-written Crypt_DSA - not Crypt_RSA lol

neubert
  • 15,947
  • 24
  • 120
  • 212