php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #59409 ssh2_auth_pubkey_file() requires both public and private keys
Submitted: 2010-09-09 16:20 UTC Modified: 2017-10-24 06:49 UTC
Votes:4
Avg. Score:4.2 ± 0.8
Reproduced:4 of 4 (100.0%)
Same Version:3 (75.0%)
Same OS:2 (50.0%)
From: ron at roncemer dot com Assigned:
Status: Open Package: ssh2 (PECL)
PHP Version: 5.3.2 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-09-09 16:20 UTC] ron at roncemer dot com
Description:
------------
Every other ssh client I've ever dealt with, only requires 
the private key to authenticate to a remote server with 
ssh2.

Have a look at the ganymed Java SSH2 library, class name 
ch.ethz.ssh2.Connection, function signature "boolean 
authenticateWithPublicKey(java.lang.String user, 
java.io.File pemFile, java.lang.String password)".  All that 
is needed is the private-key pem file in order to 
authenticate.  I've been using this library for years in 
Java, and it works great.

What is the reason for requiring both the public and private 
keys for authenticating, when in reality only the private 
key is required?  The public key should be easily extracted 
from private key, and should be handled silently by PHP.

Also, have a look at ganymed Connection class, function 
signature "boolean 
authenticateWithPublicKey(java.lang.String user, char[] 
pemPrivateKey, java.lang.String password)".  This provides a 
way to pass in the private key as an array of char.  In PHP, 
this would be really useful.  You could store your private 
keys in a secured database and use it for all kinds of 
server authentication, automatic deployment, log file 
collection, automation.  The absence of this functionality 
in PHP actually presents a security risk, because to get it 
to work, you'd actually have to write your private key to a 
temp file, then delete the temp file when done.  Not as
secure as reading it from a string which came from a secure 
database.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-06-14 07:29 UTC] langemeijer@php.net
-Package: PECL bug system +Package: ssh2 -Assigned To: +Assigned To: langemeijer
 [2012-06-14 07:29 UTC] langemeijer@php.net
You are raising an interesting question. It's because libssh2 (the underlying c 
library) requires a public key file. Although the PHP extension could extract the 
public key from the private key, I'd rather see this solved in libssh2. I'll 
raise this issue with the libssh2 guys.
 [2012-06-20 14:53 UTC] langemeijer@php.net
-Type: Bug +Type: Feature/Change Request
 [2012-06-20 14:53 UTC] langemeijer@php.net
It turns out that libssh2 supports this, but it was undocumented.

It's now a feature request I plan to work on.
 [2012-06-22 05:53 UTC] zelnaga at gmail dot com
That'll be a much needed improvement!

In the mean time, you can use phpseclib - a pure PHP SSH implementation - as a 
workaround. eg.

<?php
include('Net/SSH2.php');
include('Crypt/RSA.php');

$ssh = new Net_SSH2('www.domain.tld');
$key = new Crypt_RSA();
$key->loadKey(file_get_contents('privatekey'));
if (!$ssh->login('username', $key)) {
    exit('Login Failed');
}

echo $ssh->exec('pwd');
echo $ssh->exec('ls -la');
?>
 [2017-10-24 06:49 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: langemeijer +Assigned To:
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Jul 04 06:01:27 2020 UTC