[Bug 3190] Inconsistent handling of private keys without accompanying public keys

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Jul 17 18:00:02 AEST 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3190

--- Comment #6 from Jakub Jelen <jjelen at redhat.com> ---
(In reply to Damien Miller from comment #5)
> Created attachment 3428 [details]
> attempt to load public key from passphraseless private keys
> 
> PEM doesn't include the public key in encrypted private keys'
> cleartext though, right?

right.

> IMO we could load passphrase-free keys, but we should remove their
> private elements immediately after loading.

Right. That was the idea and I think the only missing bit.

But I got a bit confused since had old openssh installed and the
handling of new format was already in master.

Your patch works fine after fixing two minor nits:


 {
        char *pubfile = NULL, *privcmt = NULL;
        int r, oerrno;
-       struct sshkey *privkey;
+       struct sshkey *privkey = NULL;

        if (keyp != NULL)
                *keyp = NULL;


         */
        if ((r = sshkey_load_private(filename, "", &privkey, &privcmt))
== 0) {
                if ((r = sshkey_from_private(privkey, keyp)) == 0) {
-                       if (commentp != NULL)
+                       if (commentp != NULL) {
                                *commentp = privcmt;
                                privcmt = NULL; /* transferred */
                        }


The only ugly corner case is the removal of key from ssh-agent, which
still fails with cryptic error if the key is encrypted PEM missing
sidecar public key:

    $ ssh-add -d /tmp/rsa
    Bad key file /tmp/rsa: No such file or directory

Otherwise it looks good.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list