Opened at 2010-05-13T23:20:51Z
Last modified at 2014-12-02T19:52:12Z
#1039 new defect
Keys with passphrases for SFTP
| Reported by: | josipl | Owned by: | nobody |
|---|---|---|---|
| Priority: | minor | Milestone: | undecided |
| Component: | code-frontend-ftp-sftp | Version: | 1.6.1 |
| Keywords: | sftp security | Cc: | |
| Launchpad Bug: |
Description (last modified by warner)
Currently ssh keys with passphareses raise following exception: twisted.conch.ssh.keys.EncryptedKeyError: encrypted key with no passphrase
Twisted has support for passphrases but currently there is no way in Tahoe-LAFS to acquire the passphrase from user.
The solution for now is just to generate keys without a passphrase, even though source:docs/frontends/FTP-and-SFTP.txt suggests otherwise.
Attachments (2)
Change History (16)
comment:1 Changed at 2010-05-14T00:08:40Z by davidsarah
- Description modified (diff)
- Keywords docs added
comment:2 Changed at 2010-05-14T00:12:13Z by davidsarah
comment:3 Changed at 2010-05-14T00:17:38Z by warner
Server-side keys don't generally have passphrases. When they do, things like sshd can't start up by themselves. The usual linux distributions creates passphraseless keys in /etc/ssh/ssh_host_dsa_key at install time.
I think it's perfectly fine to have Tahoe's SFTP server refuse to use passphrase'd server keys. And yeah, the docs should encourage this by showing an example of running 'ssh-keygen' without providing a passphrase.
comment:4 Changed at 2010-05-16T21:16:53Z by davidsarah
- Milestone changed from 1.8.0 to 1.7.0
- Owner set to davidsarah
- Status changed from new to assigned
Milestone 1.7 to make the docs clear that this isn't supported; then we can decide whether to leave the ticket open or wontfix it.
Changed at 2010-06-19T00:30:08Z by davidsarah
FTP-and-SFTP.txt: remove description of public key format that is not actually implemented. Document that SFTP does not support server private keys with passphrases, and that FTP cannot list directories containing mutable files.
comment:5 Changed at 2010-06-19T00:30:50Z by davidsarah
- Keywords review-needed added
- Owner changed from davidsarah to kevan
- Status changed from assigned to new
Changed at 2010-06-19T00:57:09Z by davidsarah
Update to previous patch adding a 'Known Issues' section
comment:6 Changed at 2010-06-19T01:08:54Z by kevan
The updated patch looks good to me; I like the known issues section.
comment:7 Changed at 2010-06-19T01:09:45Z by kevan
- Keywords reviewed added; review-needed removed
- Owner changed from kevan to davidsarah
comment:8 Changed at 2010-06-19T03:49:26Z by davidsarah
- Milestone changed from 1.7.0 to undecided
- Owner changed from davidsarah to nobody
Doc patches applied in e05c6c2c7d25db66 and 29a9059c94eef955.
comment:9 Changed at 2010-06-19T03:49:40Z by davidsarah
- Keywords reviewed removed
comment:10 Changed at 2010-10-09T23:06:08Z by davidsarah
- Priority changed from major to minor
Demoting this to minor; I have no plans to support server-side keys with passphrases, and there's lots more important stuff to do.
comment:11 Changed at 2012-05-06T23:26:30Z by marlowe
- Owner changed from nobody to marlowe
- Status changed from new to assigned
comment:12 Changed at 2012-05-07T00:13:51Z by marlowe
- Owner changed from marlowe to nobody
- Status changed from assigned to new
comment:13 Changed at 2012-05-07T00:16:48Z by davidsarah
- Description modified (diff)
- Keywords docs removed
comment:14 Changed at 2014-12-02T19:52:12Z by warner
- Component changed from code-frontend to code-frontend-ftp-sftp
- Description modified (diff)
FTP-and-SFTP.txt doesn't actually suggest otherwise, but I can see how the current wording could be confusing (it is actually referring to user passwords, not the passphrase of the server private key).