Page MenuHomePhabricator

Perform a more sophisticated test for private keys with credentials
AbandonedPublic

Authored by epriestley on Mon, Nov 11, 7:19 PM.

Details

Summary

Ref T13454. Ref T13123. Ref T13006. We currently test if a private key has a password by looking for the text "ENCRYPTED" in the key body. This test is obviously unsophisticated, and can not identify all keys with passphrases.

Modern keys with passphrases look like this:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDvWlhrGB
...
BMtSyiq+AScOPPbrkMZzOdqbo97JyO3hMe8Ha8bhuclZiM0qWg
-----END OPENSSH PRIVATE KEY-----

Instead, detect that a key has a passphrase by changing the passphrase from "" (the empty string) to "" (the empty string). If this works: no passphrase. If it fails, assume that indicates it's a passphrase protected key (although it could indicate that it's just a bad key).

There's another technique here with SSH_ASKPASS=... but:

  • I couldn't get that to work at all; and
  • I couldn't come up with a simple way to determine that our ASKPASS binary has been invoked, to improve our confidence that we're geninely detecting a private key with a password.
Test Plan

Uploaded a modern private key with a password; saw it detect properly.

Diff Detail

Repository
rP Phabricator
Branch
ssh1
Lint
Lint OK
Unit
Unit Tests OK
Build Status
Buildable 23652
Build 32514: Run Core Tests
Build 32513: arc lint + arc unit

Event Timeline

epriestley created this revision.Mon, Nov 11, 7:19 PM
epriestley requested review of this revision.Mon, Nov 11, 7:21 PM
epriestley abandoned this revision.Wed, Nov 13, 5:45 PM

I have a fancier version of this in the works.