Bug#815724: libnet-ssh2-perl: Public key authentication fails when key generated with -a

Francois Gouget fgouget at free.fr
Wed Feb 24 03:53:30 UTC 2016 

Package: libnet-ssh2-perl
Version: 0.58-3
Severity: normal

Dear Maintainer,

If multiple KDF rounds were used for the key's passphrase then libnet-ssh2-perl will
incorrectly claim the password is wrong (even if there is no password though that last
case is probably a bit moot).

To reproduce use the attached Perl script and follow these steps:
$ ssh-keygen -a 100
Enter file in which to save the key (/home/fgouget/.ssh/id_rsa): id_rsa_a100
Enter passphrase (empty for no passphrase): password
Enter same passphrase again: password
Your identification has been saved in id_rsa_a100.
Your public key has been saved in id_rsa_a100.pub.

$ ssh-copy-id -i id_rsa_a100 localhost

$ ./pssh localhost id_rsa_a100 password
username=[fgouget]
hostname=[localhost]
port=[22]
publickey=[/home/fgouget/.ssh/id_rsa_a100.pub]
privatekey=[/home/fgouget/.ssh/id_rsa_a100]
password=[password]
auth_publickey failed: <-19|LIBSSH2_ERROR_PUBLICKEY_UNVERIFIED|Callback returned error>
Net::SSH2::DESTROY object 0x14ce7b0

It's also possible the bug is in fact in the underlying libssh2 library.


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libnet-ssh2-perl depends on:
ii  libc6                       2.21-7
ii  libgcrypt20                 1.6.5-2
ii  libssh2-1                   1.5.0-2+b1
ii  perl                        5.22.1-7
ii  perl-base [perlapi-5.22.1]  5.22.1-7
ii  zlib1g                      1:1.2.8.dfsg-2+b1

Versions of packages libnet-ssh2-perl recommends:
ii  libterm-readkey-perl  2.33-1+b1

libnet-ssh2-perl suggests no packages.

-- no debconf information
-------------- next part --------------
#!/usr/bin/perl -w

use strict;
use Net::SSH2;

if (!defined $ARGV[0] or 
    $ARGV[0] !~ /(?:([^@]*)@)?([^:]*)(?::([0-9]*))?/)
{
    print "Usage: pssh [username\@]hostname[:port] [keyname] [password]\n";
    exit 1;
}
my ($username, $hostname, $port) = ($1, $2, $3);
$username ||= $ENV{USER};
$port ||= 22;

my ($publickey, $privatekey);
foreach my $key ($ARGV[1], "id_rsa", "id_dsa")
{
    if (defined $key and -f "$ENV{HOME}/.ssh/$key.pub" and
        -f "$ENV{HOME}/.ssh/$key")
    {
        $publickey = "$ENV{HOME}/.ssh/$key.pub";
        $privatekey = "$ENV{HOME}/.ssh/$key";
        last;
    }
}
my $password=$ARGV[2] || "";

print "username=[$username]\n";
print "hostname=[$hostname]\n";
print "port=[$port]\n";
print "publickey=[$publickey]\n";
print "privatekey=[$privatekey]\n";
print "password=[$password]\n";

my $ssh2 = Net::SSH2->new();
$ssh2->connect($hostname, $port)
    or die "connect failed: <", join("|", $ssh2->error), ">\n";

$ssh2->debug(1);
$ssh2->auth_publickey($username, $publickey, $privatekey, $password)
    or die "auth_publickey failed: <", join("|", $ssh2->error), ">\n";
print "The authentication worked!!!\n";

my $chan1 = $ssh2->channel();
$chan1->blocking(1);
$chan1->exec('hostname');
my $buf;
$chan1->read($buf, 100);
print "Got: $buf\n";
$chan1->close;

More information about the pkg-perl-maintainers mailing list