Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

problems with private key authentication #62

Open
poccari opened this issue Oct 11, 2023 · 3 comments
Open

problems with private key authentication #62

poccari opened this issue Oct 11, 2023 · 3 comments
Assignees
Labels
question Further information is requested

Comments

@poccari
Copy link

poccari commented Oct 11, 2023

I'm trying to get public/private key authentication working with this library. Not sure if this is an issue, or likely an issue with the user (me).

I can successfully get it working with username/password combination, however having issues with private key.
I have a server which has the public key saved in its authorized_keys file, and I can ssh successfully from the cRIO to the server using this keyfile from the a command prompt on the cRIO (i.e. ssh -i privateKeyName user@serverIP).
However when I use the public key data, or public key file methods in this library, I get an authentication error.

Error -8121 occurred at Field_RnD_Services_LIBSSH2_Toolkit.lvlib:Session.lvclass:Public Key Memory Authentication.vi

Possible reason(s):

[Authentication Error]

I generated the public/private key pair just using:

ssh-keygen -f

and then I put the public key info into the authorised_keys file on the test server.

are the files generated by ssh-keygen the correct format that this library is expecting?

The format for each key file is the following:
I'm only using this for testing, so I'm not that concerned about teh secrecy of the content of these files, but here's what the contents of my keyfiles are the following:

Private key:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtks0aAdJbMPQ8N5vSzC568SfrPjXELsofPn33jrcHvZ0MLMr
cR71xSL/mYDQZEC2QWhO/YMIpmKPE+yIHJJ7AQJ9gRmbOiqzLZ8O/EQUXSJbP3MB
7AlihpYMy30zIUg9DL3/Qxx1cOwXYQL8IvkBSb9FnteyszpbDYk3rJxlbrmswRzY
f7IflVfweel/FxKwLiYdhEiLVY+IORf1gfxAdpG5L6A9lYtwlRLPMG09Nb3OeTLp
dAwtcYBNF2ypIioOx0+jpQcReGxhUPwJ8rqY/uAO7hRBSU8FnFrPOvfSR9vmtT/w
wSeG/SA1obaUBtKYq9g3GoowNyN7qnnS1ikQWwIDAQABAoIBAG2IxMWZU0oyYxLI
ZRFGBwEe1V8m6ntYKhzmSkTTEz7bkbdNgVXoZ37755+B4jXLGHg2x/fWS1VGtXgg
USzx600RBP6Ut0v9KkrIX0W/Vokbwr5eSZJdlUEPWkLPSPC/qkdExuO5buvaQLX/
CCevfVGlx5yJOQwujVWV1Mk39E7R6AeTzP1JL+X2Hqq4aMAK6rDBPtC1CkKduG9t
xWCynj1g13vqGIYaLVtI9e0eF3YFOZILEoNnHJfaufaKKj6zfRjLcXLXkg2hSEsB
pSCtefi93UtnP/sVARczWVxjfgpiYRn+oz/3cosdt2PIpzJ9djkSlY2Lp6ll1mDW
zrZbPlECgYEA6fOg3X2whIPK/krvrloopmQaurTsbC9mBB1xwgmfSTZIzO4uUWc+
hJ2QcaS+8QduIpdNnDJ3w4uAhyT7PzVJAD7rZmECTqDkbvfqsdoctr2QD01He/AN
py3NT6lMx/KFIZJ3Awq9fPK/Z+szJ0Jv7NMVAX7nc7X5+Mz0pwwJQvMCgYEAx3lE
EZ++XY5KTQqfRh9LftCGvMN9dxOLLDHriOH/KhNMQ+cZDVPqsj36K2xIAHHCp+2X
2+94DoCLJ3+LeIv4twdJQJygSJCO6N/LGcoHlAIwhv7EaiocWFAqHxp80o5jau7e
w3qF7MULR9Rg3AyPmd5Bz5aLSuuFREhyPJzlxvkCgYA8RoW6qyhwa9g//iSUgiwY
+o+cbQLAuNGK2980Q/BjF3ZYPkF2vafw2PufG/gJ94UbqmnXhXUvz2BU8WU+Gsdt
JcjWfsXuZiuUn5E7M1vUhTB5kMqLFwUdfoJ4NMFQfp5oUOkSwpChgZVo+8MZKVfW
52dxFDYjrM3zmTKrW0GDmwKBgAah1oyLdiXgLEJBfygytCzkPAacrVg/MxpmEoG7
meNJPvjm/yM9TgldHCtDb2VsYt94e9sZLDG3PmkyyW1Zogxb1qiqTH39KHM/tZ4G
5JecNwbWA6vP+J9LEwtzswDBMTcF+Cwhr8A+kPBzdED8ve2MwT1osPrtt8Gccwfm
45DpAoGBAMmlYFJam/H97vVxjdOZp8phkZcIsqQ7VQ88zDNLEPfClzMW+7x/0jXd
y1+iCJQW0e++M72VFA0LVnnoc2ZkXit0blZHRGeLqjzr4Z1TA+oC1z422kVieBK7
i8SlawIeHE+N9ZY3gIQWaICU8hTzU8wVQTVKUNm00jrZbOGtwbdX
-----END RSA PRIVATE KEY-----

public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SzRoB0lsw9Dw3m9LMLnrxJ+s+NcQuyh8+ffeOtwe9nQwsytxHvXFIv+ZgNBkQLZBaE79gwimYo8T7IgcknsBAn2BGZs6KrMtnw78RBRdIls/cwHsCWKGlgzLfTMhSD0Mvf9DHHVw7BdhAvwi+QFJv0We17KzOlsNiTesnGVuuazBHNh/sh+VV/B56X8XErAuJh2ESItVj4g5F/WB/EB2kbkvoD2Vi3CVEs8wbT01vc55Mul0DC1xgE0XbKkiKg7HT6OlBxF4bGFQ/Anyupj+4A7uFEFJTwWcWs8699JH2+a1P/DBJ4b9IDWhtpQG0pir2DcaijA3I3uqedLWKRBb admin@NI-cRIO

Any direction or help is appreciated. Let me know if you need any more information. thanks.

@volks73 volks73 added the question Further information is requested label Oct 14, 2023
@volks73
Copy link
Member

volks73 commented Oct 14, 2023

Thank you for your interest in the LIBSSH2 for LabVIEW toolkit, and for the detailed debugging information. I am sorry you are experiencing issues with the toolkit and public-private authentication.

and then I put the public key info into the authorised_keys file on the test server.

Did you use the ssh-copy-id utility or did you manually copy the public key into the authorized_keys file? I believe the authorized_keys file needs correct permissions, chmod 755 or something. If the permissions are not correct for the authorized_keys, public, and private key files, then authentication errors for SSH can manifest. I believe the ssh-copy-id utility will ensure the files have correct permissions.

I am looking at my authorized_keys file, and I have a public key hash of ssh-rsa, so I believe you have generated the keys correctly, but each hash of the public key ends in ==. I am wondering if something went wrong with adding the public key to the authorized_keys file.

I know there is a bug between libssh2 and LabVIEW with using the public-private key file API. You cannot simply pass a path to the key files like the command line. Instead, the public-private keys must be explicitly read using the LabVIEW File APIs into strings and then the libssh2 "memory" public-private key API can be used. The "Public Key File" instance of the Authenticate.vi actually implements this workaround for you.

Can you share more of the LabVIEW code, possibly as a VI Snippet?

Can you try the Public Key File Authentication example? This implements the LabVIEW File IO to libssh2 memory workaround.

Did you add a passphrase to the public-private key and are using a ssh-agent on the command line?

It is interesting everything appears to work from the command line with the cRIO communicating to the server. This is a good indicator the server and client are compatible and most likely something with using this library.

@poccari
Copy link
Author

poccari commented Oct 17, 2023

Thanks for your response and for looking into it a bit deeper for me!

Ah.... good point, I'm not using a ssh-agent. In my tests from a terminal from the cRIO, to test a ssh connection out (which I have successfully done), I'm using the command ssh -i privateKeyfilename username@<remoteIP>. So maybe that's the issue? The key doesn't have a passphrase to the key.
Does it require a ssh-agent? if so, I'm not sure that the cRIO has one installed by default with their ssh-client. Do you know how to install this?

No, I did not use the ssh-copy-id utility (because the cRIO doesn't have it natively), but I copied the keyfiles across to a different computer, and did it from there (after removing the authorized_keys file first). It seems like this file has permissions of 600 (rw for user and nobody else). And it didn't fix the problem.

I added a == to the end of the public key hash in the authorised keys file and the public key as well, and that didn't work.

I used both Public Key File method as well as Public Key Data methods and I got the same result (taken pretty much from the examples folder).

I am passing in an empty string as the password into the authenticate.vi.

I have attached a snippet of code I'm using. I've got all the options there for each method in there so you can see my methodology (I was using those with testing, and just unwiring/rewiring the method I wanted to test/use. Not the most elegant, but worked in a pinch).

SFTP_FieldRnD_listDirAuthIssue

@volks73
Copy link
Member

volks73 commented Oct 20, 2023

It is possible the public-private key pair that was created using the CLI is not supported by the version of libssh2 used by this toolkit. You generated the public-private key on the cRIO or did you generate from another computer and then copy over to the cRIO and the remote server?

Can you provide the version of the SSH client on your cRIO and the version of the SSH server on the remote host?

You used the ssh-keygen -f command and that probably used the defaults on whatever machine it was executed on. Can you try generate a public-private key with:

ssh-keygen -t rsa -b 4096 -C "[email protected]"

The default type, -t, you generated may not be supported by libssh2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants