Page MenuHomePhabricator

Perform a more sophisticated test for private keys with credentials
AbandonedPublic

Authored by epriestley on Nov 11 2019, 7:19 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Mar 14, 5:31 AM
Unknown Object (File)
Wed, Mar 6, 1:50 AM
Unknown Object (File)
Feb 3 2024, 11:26 PM
Unknown Object (File)
Jan 8 2024, 11:19 AM
Unknown Object (File)
Dec 18 2023, 12:46 AM
Unknown Object (File)
Dec 16 2023, 2:14 AM
Unknown Object (File)
Nov 29 2023, 11:55 PM
Unknown Object (File)
Nov 25 2023, 10:49 PM
Subscribers
None

Details

Summary

Ref T13454. Ref T13123. Ref T13006. We currently test if a private key has a password by looking for the text "ENCRYPTED" in the key body. This test is obviously unsophisticated, and can not identify all keys with passphrases.

Modern keys with passphrases look like this:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDvWlhrGB
...
BMtSyiq+AScOPPbrkMZzOdqbo97JyO3hMe8Ha8bhuclZiM0qWg
-----END OPENSSH PRIVATE KEY-----

Instead, detect that a key has a passphrase by changing the passphrase from "" (the empty string) to "" (the empty string). If this works: no passphrase. If it fails, assume that indicates it's a passphrase protected key (although it could indicate that it's just a bad key).

There's another technique here with SSH_ASKPASS=... but:

  • I couldn't get that to work at all; and
  • I couldn't come up with a simple way to determine that our ASKPASS binary has been invoked, to improve our confidence that we're geninely detecting a private key with a password.
Test Plan

Uploaded a modern private key with a password; saw it detect properly.

Diff Detail

Repository
rP Phabricator
Branch
ssh1
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 23652
Build 32514: Run Core Tests
Build 32513: arc lint + arc unit