From libssh2-devel-bounces@cool.haxx.se Tue Dec 1 12:58:23 2020 Return-Path: Received: from giant.haxx.se (mail [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id 0B1Bvctk004427; Tue, 1 Dec 2020 12:58:09 +0100 Received: from s802.sureserver.com (s802.sureserver.com [195.8.222.36]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id 0B1BvYfH004415 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 1 Dec 2020 12:57:35 +0100 Received: (qmail 1122 invoked by uid 1003); 1 Dec 2020 11:57:29 -0000 Received: from unknown (HELO ?94.155.37.179?) (zimage@dni.li@94.155.37.179) by s802.sureserver.com with ESMTPA; 1 Dec 2020 11:57:29 -0000 To: libssh2-devel@cool.haxx.se From: Teodor Milkov Subject: SSH agent forwarding support Message-ID: Date: Tue, 1 Dec 2020 13:57:20 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 Content-Language: en-US X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id 0B1Bvctk004427 Hello, I opened an issue on GitHub two weeks ago (https://github.com/libssh2/libssh2/issues/535) but it seems GitHub issues are not actively monitored, so I figured I'd write to the list as well. I'm just looking for confirmation that SSH agent forwarding is currently incomplete in libssh2 (or am I just not using it right?). Best regards, Teodor _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Tue Dec 1 13:04:34 2020 Return-Path: Received: from giant.haxx.se (mail [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id 0B1C4Q9b005804; Tue, 1 Dec 2020 13:04:32 +0100 Received: from forward500j.mail.yandex.net (forward500j.mail.yandex.net [IPv6:2a02:6b8:0:801:2:0:0:110]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id 0B1C4N2G005793 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 1 Dec 2020 13:04:23 +0100 Received: from mxback9o.mail.yandex.net (mxback9o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::23]) by forward500j.mail.yandex.net (Yandex) with ESMTP id 8C43A11C0A16 for ; Tue, 1 Dec 2020 15:04:18 +0300 (MSK) Received: from localhost (localhost [::1]) by mxback9o.mail.yandex.net (mxback/Yandex) with ESMTP id 5vj6L69E1u-4I9OtlLH; Tue, 01 Dec 2020 15:04:18 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1606824258; bh=iD8Z6JQabvaEDGCC/haHOuA1C3nREMa7Ojkd/q1Q+/s=; h=References:Date:Message-Id:Subject:In-Reply-To:To:From; b=Dbwor5srSOPOV+24oPGzhT0w/nlIQCF51DXNqdi1QG4S1Srj4wihWWEAOWCvLJSiQ 58VFAOftxm24+apcfxiJiEa5Jep9buRuUMM0HJGx/cHzpcMftdk99E1VKRGXtSoeZV 8+hy/Og8OyvUuDqTYUvlHGUKiU7iUzaxMFQL91nY= Authentication-Results: mxback9o.mail.yandex.net; dkim=pass header.i=@yandex.ru Received: by sas8-da6d7485e0c7.qloud-c.yandex.net with HTTP; Tue, 01 Dec 2020 15:04:18 +0300 From: Igor Klevanets To: libssh2 development In-Reply-To: <219271601128241@mail.yandex.ru> References: <202181600888386@mail.yandex.ru> <219271601128241@mail.yandex.ru> Subject: Re: Add libssh2_agent_sign() to allow sign any message MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Tue, 01 Dec 2020 15:04:18 +0300 Message-Id: <2827111606824143@mail.yandex.ru> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: multipart/mixed; boundary="===============1058202797==" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" --===============1058202797== Content-Transfer-Encoding: 8bit Content-Type: text/html; charset=utf-8
Hi!
 
Is there any chance to extend API?
 
26.09.2020, 16:53, "Igor Klevanets" <cerevra@yandex.ru>:
Hello,
 
Is there any specific procedure for public API extending?
 
Thank you,
Igor Klevanets
 
,

_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

 
 
С уважением,
Клеванец Игорь
 
--===============1058202797== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGlic3NoMi1k ZXZlbCBodHRwczovL2Nvb2wuaGF4eC5zZS9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vbGlic3No Mi1kZXZlbAo= --===============1058202797==-- From libssh2-devel-bounces@cool.haxx.se Mon Dec 28 16:16:38 2020 Return-Path: Received: from giant.haxx.se (mail [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id 0BSFFxbA025704; Mon, 28 Dec 2020 16:16:27 +0100 Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20:0:0:0:229]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id 0BSFFvdF025686 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Mon, 28 Dec 2020 16:15:57 +0100 Received: by mail-oi1-x229.google.com with SMTP id l207so11724441oib.4 for ; Mon, 28 Dec 2020 07:15:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=PRLTwSTbgd8D+3gmBee+5/xrsyo/57rOwAPYZUfwPkQ=; b=Vlhb9EOAFG2X2m1WDfc6IbpBfBGO4VIFJXfaqlnDXOiawb0Gcaygdto1IDA5v62Yjb ElKjUC8w5wydA2UbhZdeospWn6BFOG9GzEMBLFLmvRIC/2IDdn1TYk2dIEmwhbxHLk0/ 4n7AeX18AUJZLsvBKcA979PURZ+4gyEnqepBb8kh3glt5nQ7Sf4THLxQCoqSJMkgVNge puwi7bJZ6M0haOH3rULDzg7NemK4rPpsQVoP3JzYWUettXGnGp7IYYiq4PBgXtK5NSZj BAT2RuhsH+euJs1NTxMFWrboEwfRJBdJIX9WtXX12tEPYxoy8R7i/3HpqKpNTzpK02LO Xx6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=PRLTwSTbgd8D+3gmBee+5/xrsyo/57rOwAPYZUfwPkQ=; b=CzqOlxG1vD2okUeFPOzObqvVyHczAsP/X9PO9JbNu98EwgMXsIX9qH4lCfnN/qVgF9 gFsFJgc93r4HZ2KRrXiFlIveaXAc3ugWuJ4EG8HDtpRVXuX6hAkVrbjevEt+/+sKUUYy /Uc7NaIq8xvWigagrC0K1cpLXq8zRMEYUytIgnqx2VLHWuTndeDVHeepSAOLaHW7WIla gthT23BvaXH5wqYPbDPsVCJzktixwwj8SPonk476Z2ZX8BA3ltzJxg2fazTUM8549WbC dK2pQ9ZRoolDIiFCEnpbQcOzmIMwz84hDY07+i+nOSGXNHSMkmNk6CDfIJ+6VsQVRsbt X8gw== X-Gm-Message-State: AOAM533UOcWNEZgJ0APjRtvYkD7jnhPkoSuZ2QNntLkir4z42RV4Wau9 P4q0KSQzS3ijwIlbhzE+u5do/hvg13qt0aCSJ4Qoc69me9Q= X-Google-Smtp-Source: ABdhPJz5Bua2AdbJqnCFpsnLuX2WYgenaft3M92PHsdu6jsam/oFt5enCKl8xtj/96Udk8GwKpmgRB5k3u/k6Hwz4Xc= X-Received: by 2002:aca:5088:: with SMTP id e130mr12043284oib.78.1609168552312; Mon, 28 Dec 2020 07:15:52 -0800 (PST) MIME-Version: 1.0 From: Scott Weber Date: Mon, 28 Dec 2020 09:15:42 -0600 Message-ID: Subject: Newbie Question on Private Key To: libssh2-devel@cool.haxx.se X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: multipart/mixed; boundary="===============0968971513==" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" --===============0968971513== Content-Type: multipart/alternative; boundary="000000000000f1c0a505b787bf16" --000000000000f1c0a505b787bf16 Content-Type: text/plain; charset="UTF-8" Hello, I am a new one here, and I am trying to understand this library. I find the doc rather lacking, however the examples are very helpful. (maybe someday I can help improve the doc... but not as a newbie). I have sshd running on a Linux machine, and I'm connecting from a Windows client app I'm developing. It is working, but there are things I am not clear about. First correct me if I'm wrong, but the protocol seems to use a PKI, but not certificates. So the public/private exchange is used to generate the symmetric key, like SSL, but there is no requirement for a CA. Now connecting as a client, the function libssh2_userauth_publickey_fromfile(...) requires BOTH the public and private key. Why? Having both keys out in the wild seems to be a serious security risk. Also, I've done some testing, and it appears that only the private key is needed. I can NULL out the public key. (and yet the function name is " ... publickey_fromfile" ) Again, why? I have both keys also on the linux server, but it appears (via the conf) that the server only uses the public key. It would seem that putting the public key "out in the wild" and keeping the private key on the server is the normal step, at least when creating SSL handshakes. Would it function if I placed the private key in the authorized_keys file on the server, and used the public key on the client? And educational advice is appreciated. Scott Weber Scotty2540@gmail.com --000000000000f1c0a505b787bf16 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,
I am a new one here, and I am trying to underst= and this library.=C2=A0 I find the doc rather lacking, however the examples= are very helpful.=C2=A0 (maybe someday I can help improve the doc...=C2=A0= but not as a newbie).

I have sshd running on a Li= nux machine, and I'm connecting from a Windows client app I'm devel= oping.=C2=A0 It is working, but there are things I am not clear about.

First correct me if I'm wrong, but the protocol=C2= =A0seems to use a PKI, but not certificates.=C2=A0 So the public/private ex= change is used to generate the symmetric key, like SSL, but there is no req= uirement for a CA.

Now connecting as a client, the= function=C2=A0libssh2_userauth_publickey_fromfile(...)
requires = BOTH the public and private key.
Why?
Having both k= eys out in the wild seems to be a serious security risk.

Also, I've done some testing, and it appears that onl= y the private key is needed. I can NULL out the public key.=C2=A0 (and yet = the=C2=A0function=C2=A0name=C2=A0is=C2=A0 " ... publickey_fromfile&quo= t; )
Again, why?

I have both keys al= so on the linux server, but it appears (via the conf) that the server only = uses the public key.=C2=A0=C2=A0
It would seem that putting t= he public key "out in the wild" and keeping the private key on th= e server is the normal step, at least when creating SSL handshakes.

Would it function if I placed the private=C2=A0key in the= =C2=A0authorized_keys file on the server, and used the public=C2=A0key on t= he client?

And educational advice is appreciated.<= /div>

Scott W= eber
Sco= tty2540@gmail.com=C2=A0=C2=A0


--000000000000f1c0a505b787bf16-- --===============0968971513== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGlic3NoMi1k ZXZlbCBodHRwczovL2Nvb2wuaGF4eC5zZS9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vbGlic3No Mi1kZXZlbAo= --===============0968971513==-- From libssh2-devel-bounces@cool.haxx.se Mon Dec 28 23:09:39 2020 Return-Path: Received: from giant.haxx.se (mail [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id 0BSM99bM019196; Mon, 28 Dec 2020 23:09:29 +0100 Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id 0BSM95tF019164 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 28 Dec 2020 23:09:07 +0100 Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 0BSM90U5048401 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Mon, 28 Dec 2020 14:09:00 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 0BSM8xQO048400 for libssh2-devel@cool.haxx.se; Mon, 28 Dec 2020 14:08:59 -0800 (PST) (envelope-from jmg) Date: Mon, 28 Dec 2020 14:08:59 -0800 From: John-Mark Gurney To: libssh2 development Subject: Re: Newbie Question on Private Key Message-ID: <20201228220859.GM31099@funkthat.com> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Mon, 28 Dec 2020 14:09:00 -0800 (PST) X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id 0BSM99bM019196 Scott Weber wrote this message on Mon, Dec 28, 2020 at 09:15 -0600: > First correct me if I'm wrong, but the protocol seems to use a PKI, but not > certificates. So the public/private exchange is used to generate the > symmetric key, like SSL, but there is no requirement for a CA. Correct, the host has a public/private key pair, and the user MAY have a key pair for authentication as well... > Now connecting as a client, the > function libssh2_userauth_publickey_fromfile(...) > requires BOTH the public and private key. > Why? > Having both keys out in the wild seems to be a serious security risk. This is the user's key... The key maybe encrypted, which is why the passphrase is an argument. If the client doesn't have access to the user's private key, it cannot sign a statement that the server uses to verify the public key in .ssh/authorized_keys file... Note: there is a mode that allows a CA to sign certs that can be used, but it is not commonly used, but does have some interesting improvements security wise. > Also, I've done some testing, and it appears that only the private key is > needed. I can NULL out the public key. (and yet the function name is " > ... publickey_fromfile" ) > Again, why? Also, I'm looking at the man page, and I believe that this doc is wrong (from docs/libssh2_userauth_password_ex.3): publickey - Path name of the public key file. (e.g. /etc/ssh/hostkey.pub). If libssh2 is built against OpenSSL, this option can be set to NULL. privatekey - Path name of the private key file. (e.g. /etc/ssh/hostkey) those e.g. should be ~/.ssh/id_rsa.pub and ~/.ssh/id_rsa.. Though it could be other names as well.. The likely reason the public key can be NULL'd out is that the private key either contains the public key, or the public key can easily be derived from the private key (and it is often safest to do so)... > I have both keys also on the linux server, but it appears (via the conf) > that the server only uses the public key. > It would seem that putting the public key "out in the wild" and keeping the > private key on the server is the normal step, at least when creating SSL > handshakes. I think you may have been confused by the above docs, but you are correct that the host private key should NOT be used, and even if you did, it would not work... > Would it function if I placed the private key in the authorized_keys file > on the server, and used the public key on the client? No, it would not. Hope this helps. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel