efs2
efs2 copied to clipboard
madflojo
efs2 does not accept encrypted private keys
With passphrase on key:
efs2 -i /Users/hbokh/.ssh/id_rsa -v -u root hostname.home
Unable to setup SSH client configuration - Unable to read private key file - ssh: cannot decode encrypted private keys
With empty passphrase on key (host was down hence the other errors):
efs2 -i /Users/hbokh/.ssh/id_rsa_nopassphrase -v -u root hostname.home
linux008.internal:22: Executing task 0 - RUN CMD apt-get update
linux008.internal:22: Error connecting to host - dial tcp 192.168.1.1:22: getsockopt: operation timed out
linux008.internal:22: Error executing command - dial tcp 192.168.1.1:22: getsockopt: operation timed out
Since I only use passphrased keys, this is somewhat of a showstopper for me... Can this be fixed?
@hbokh it looks like there is certainly support for Passphrase Protected keys in the Go SSH Library. https://godoc.org/golang.org/x/crypto/ssh#ParseRawPrivateKeyWithPassphrase
I'm thinking ideally it should detect the supplied key is protected and ask the user to enter the passphrase before starting the execution. I'll try to add this over the weekend.
Turns out it wasn't too bad at all. You should be able to get the fixed version doing a go get now.
$ go get -u github.com/madflojo/efs2
Thanks! However... it is indeed asking for a passphrase now, but it still only works with a passphrase-less key...
Hrm, Interesting. Can you share what your seeing as the below example worked on my end.
$ efs2 -v -i id_rsa -u user example.bencane.com
Enter Private Key Passphrase:
example.bencane.com:22: Executing task 0 - RUN CMD ls -la /tmp
example.bencane.com:22: Task Output
example.bencane.com:22: ------------------------
example.bencane.com:22: total 120
example.bencane.com:22: drwxrwxrwt 3 root root 4096 Jan 7 08:44 .
example.bencane.com:22: drwxr-xr-x 22 root root 4096 Dec 8 15:29 ..
example.bencane.com:22: -rwx------ 1 root root 24 Dec 25 04:39 053970708
example.bencane.com:22: -rwx------ 1 root root 24 Dec 25 04:27 111992274
example.bencane.com:22: -rwx------ 1 root root 24 Dec 25 04:15 189609246
example.bencane.com:22: -rwx------ 1 root root 24 Dec 25 04:51 307595334
example.bencane.com:22: -rwx------ 1 root root 24 Dec 24 12:59 384306457
example.bencane.com:22: -rwx------ 1 root root 24 Dec 25 04:11 406854451
example.bencane.com:22: -rwx------ 1 root root 24 Dec 25 04:09 491983272
example.bencane.com:22: -rwx------ 1 root root 24 Dec 25 04:27 519330945
example.bencane.com:22: -rwx------ 1 root root 24 Dec 25 04:20 529507386
example.bencane.com:22: -rwx------ 1 root root 24 Dec 25 04:17 616086150
example.bencane.com:22: -rwx------ 1 root root 24 Dec 25 04:26 661259181
example.bencane.com:22: -rwx------ 1 root root 24 Dec 25 04:52 681483039
example.bencane.com:22: -rwx------ 1 root root 2044 Jan 3 05:19 6uTBln
example.bencane.com:22: -rwx------ 1 root root 24 Dec 25 04:40 701644866
example.bencane.com:22: -rwx------ 1 root root 2044 Jan 3 05:11 7Iz0OX
example.bencane.com:22: -rwx------ 1 root root 1386 Jan 3 05:38 BFVkJR
example.bencane.com:22: -rwx------ 1 root root 1386 Dec 12 07:51 clsQmh
example.bencane.com:22: -rwx------ 1 root root 1386 Jan 3 05:32 ELvACW
example.bencane.com:22: -rwx------ 1 root root 1386 Jan 3 05:10 EPNXKB
example.bencane.com:22: -rwx------ 1 root root 2044 Jan 3 05:38 ExfIg0
example.bencane.com:22: -rwx------ 1 root root 2044 Jan 3 05:10 fMJjl2
example.bencane.com:22: -rwx------ 1 root root 1386 Jan 3 05:19 gZRkOh
example.bencane.com:22: -rwx------ 1 root root 1386 Jan 3 05:11 HP1XDH
example.bencane.com:22: -rwx------ 1 root root 1386 Jan 3 04:36 KGgnVe
example.bencane.com:22: -rwx------ 1 root root 2044 Jan 3 05:32 PaN21P
example.bencane.com:22: drwxr-xr-x 2 root root 4096 Dec 8 15:30 pip_build_root
example.bencane.com:22: -rwx------ 1 root root 2044 Dec 12 07:51 sAZvoR
example.bencane.com:22: -rwx------ 1 root root 2044 Jan 3 04:36 zAmOMD
example.bencane.com:22:
example.bencane.com:22: ------------------------
Sure. FYI I'm on macOS (10.13.2) with go version go1.9.2 darwin/amd64
efs2 -v -i /Users/hbokh/.ssh/id_rsa -u hbokh hostname.home
Enter Private Key Passphrase:
Unable to setup SSH client configuration - Unable to read private key file - ssh: cannot decode encrypted private keys
Interesting, is that a new key or an existing? Can you try creating a new one? The one I tested was a simple rsa key with a passphrase.
That is an existing 4096 bit key, generated withssh-keygen -t rsa -b 4096 -o -a 100.
Now if I create another key with just ssh-keygen (without options) it is indeed asking for the passphrase and running the Efs2file.
So the issue is with my key(s). Good to know for future issues.
I am suspicious that it is something to do with the size of key. I think the default size is 2048, so I’m going to see if I can duplicate this.
Edit: Tested it and 4096 keys work great.
Most of my SSH-keys are generated with the -o-option: "the new OpenSSH format rather than the more compatible PEM format."
Go's func ParseRawPrivateKeyWithPassphrase can only check a PEM encoded private key.
Yup I just found the open issue for it in Go's issue tracker: golang/go#18692
I'm going to leave this open until that's fixed, as it doesn't really work until it fully works.
BTW thanks for testing and reporting this! Super helpful and it lead to a cool new feature.