Can't connect using SFTP with a pwd protected key file

Notes, tips, and other usefull things on how to use LogMX

Moderator: admin

Post Reply
nexbit
Posts: 2
Joined: Wed Oct 17, 2018 5:16 pm

Can't connect using SFTP with a pwd protected key file

Post by nexbit » Wed Oct 17, 2018 5:25 pm

Hi
I'm evaluating LogMX, and trying to connect to several remote linux boxes using SFTP.

I added two user accounts in the Network tab in the options, and one of them is working fine, while the other keeps failing.
The difference between the two is that the working one has a private key file WITHOUT a password set, while the other has a password.
When I try to browse the remote machine using the latter account, LogMX asks me for the key file password, and despite entering it correctly, it fails with a "invalid login/password" error.

I'm on a OSX 10.12 machine, and both keys are RSA keys that work without any issues with every SSH client I tried before..

Please advise if there's something else I can try, or if there are know issues with pwd protected RSA key files.

Thx
Paolo

admin
Site Admin
Posts: 506
Joined: Sun Dec 17, 2006 10:30 pm

Re: Can't connect using SFTP with a pwd protected key file

Post by admin » Thu Oct 18, 2018 2:35 am

Hello Paolo,

How did you generate your private key file? Which key size did you use? I just tried with Ubuntu 18 ("ssh-keygen" in command line, with the default key size of 2048), LogMX was able to connect using the passphrase-protected private key.

Also: if you have entered a passphrase in LogMX options>network, then please be careful if later on LogMX is asking a "password" or a "passphrase": indeed, how SSH works is that if you present a wrong private key passphrase, your client will then try to connect using the Password method instead of the PrivateKey method. So if you have entered a wrong file passphrase in Options, then LogMX will actually ask you the "password" to connect *without* this Private Key, it doesn't ask you to re-type your PK passphrase. So please make sure you typed the right PK passphrase in Options>Network (or simply don't type any passphrase so that LogMX can ask you to enter it later). And also make sure to check if LogMX is asking a "private key passphrase" or a "password" (text in the displayed dialog).

Please let me know if you still have issues (these authentication methods can be confusing sometimes!)
Xavier

nexbit
Posts: 2
Joined: Wed Oct 17, 2018 5:16 pm

Re: Can't connect using SFTP with a pwd protected key file

Post by nexbit » Thu Oct 18, 2018 8:56 am

Hi Xavier, thanks for taking the time to reply.

The private key has been generated on macOS (OSX) using a command like `openssl genrsa -des3 -out my.key 2048`, and it's the key I use to admin several linux boxes via SSH. I use it with several other tools, beside ssh client, and I never had issues with it.

I tried several things in LogMX, both entering the key passphrase in the options, and leaving it blank so that LogMX could ask me the pass on every connection. In the former case the connection fails immediately, because password-based login is disabled on the target host, while in the latter the connection fails after entering the key passphrase. I tried both copying and pasting the password and typing it in the prompt box, but with no luck.
I cannot re-generate this key ATM, because I'd need to reconfigure too much tools, and I have no spare time to do this now...
If I remove the protection from the private key file, LogMX is able to connect, but this should not be the "solution".

Thx for your support,
P.

admin
Site Admin
Posts: 506
Joined: Sun Dec 17, 2006 10:30 pm

Re: Can't connect using SFTP with a pwd protected key file

Post by admin » Fri Oct 19, 2018 2:46 am

Hello,

I agree that a private key file shouldn't be used without a passphrase.
I just tried on macOS 10.13.3 with LogMX v7.3.0, and it worked fine with a passphrase-protected PK file generated with "openssl genrsa -des3 -out my.key 2048". So I'm not sure what is going on, could you please let me know which macOS/OpenSSL/LogMX versions you are using? And also the headers of your private key (please make sure you don't paste the full content, for your own security). On my side, I have:

Code: Select all

xavier@xaviers-mbp:PK openssl version
LibreSSL 2.2.7
xavier@xaviers-mbp:PK cat my.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2A8B4A462B473B56

SWC4Z2kyBu4k2YAaTURXsM9l7ZR6TYww5STARIlBm8iHLLhR8t4seLCd6+5ZT0Eo
..............................
Also, I understand that you cannot re-generate this key, but it's common to have multiple keys: in your "~/.ssh/authorized_keys" file on your SSH server, you can add one public key per line, so if you want/can, you could try to generate a new key pair (maybe with something else like ssh-keygen from your box or any other box, just to make sure).

You may also want to have a look at LogMX internal logs: by default they are located in files "LogMX-*.log" in your home directory, you can check which authentication methods are attempted and the results:

Code: Select all

18/10/18 22:44:14.093 [INFO] (com.lightysoft.logmx.SSH) Authentications that can continue: publickey,keyboard-interactive,password
18/10/18 22:44:14.093 [INFO] (com.lightysoft.logmx.SSH) Next authentication method: publickey
18/10/18 22:44:21.257 [INFO] (com.lightysoft.logmx.SSH) Authentications that can continue: password
18/10/18 22:44:21.257 [INFO] (com.lightysoft.logmx.SSH) Next authentication method: password
18/10/18 22:44:28.483 [INFO] (com.lightysoft.logmx.SSH) Login trials exceeds 2
18/10/18 22:44:28.484 [INFO] (com.lightysoft.logmx.SSH) Disconnecting from 127.0.0.1 port 22
Please let me know how it goes.

Xavier

Post Reply