Subject: Re: pubkey auth needs to verify supplied passphrase

Re: pubkey auth needs to verify supplied passphrase

From: Daniel Stenberg <>
Date: Mon, 29 Mar 2010 15:25:27 +0200 (CEST)

On Mon, 29 Mar 2010, suyog jadhav wrote:

> I have a key which has passphrase as NULL(no passphrase).

> Now I give it as parameter to libssh2_userauth_publickey_fromfile along with
> NOT-NULL(anything) passphrase. The pubkey auth succeeds in this case,as
> there is nowhere check for this scenario.

You could easily first try with a blank passphrase to see if this is indeed
the case.

> I understand that default ssh client doesn't ask for passphrase for such
> key,which was the requirement for such case,I think.

The "default ssh client" ? Are you referring to the openssh tool?

> I have also raised a ticket for a fix
> similar to this problem.

Sorry, but ticket 169 is not a fix. It simply says you crash libssh2 by
passing in a NULL pointer instead of a pointer to a passphrase. I agree that
the man page doesn't say explicitly what is allowed there but it also doesn't
say that NULL is a legitimate input.

I still think we should check for a NULL pointer to make it more robust.

Received on 2010-03-29