SSH key credential [with password-protected SSH private key] for observer repository does not work

Hi, I just installed phab on Debian10 following the manual and it works so far.
On my first try I want to observe an existing gitolite repo,
which only allows access via SSH keys.

I created this Git repo as “observing” and added the credential,
which is a password protected SSH private key.
However this does not work.

Also when viewing the credentials and click on “show public key”
then I see this error:
Enter passphrase: Load key "/tmp/czbwg66ij6okosk4/passphrase-ssh-key": incorrect passphrase supplied to decrypt private key

Running ssh -y -f <keyfile> on console works just fine, when I enter the correct password.

Does phab need an ssh-agent running or are password protected keys just not working?

When I remove the password from the SSH key it works as expected.

Passphrase-protected keys are not currently supported.

There’s some discussion of improving detection in https://secure.phabricator.com/T13123 by way of https://secure.phabricator.com/T13006.

We don’t currently have any request from customers for passphrase-key support and I believe a credible implementation that serves real security goals would be very complex.

1 Like

thx. good to know.
In this case it would make sense to disable the ‘password for key’ text box in the credential settings,
because if it is there you expect it to work.

Sorry, I’m totally wrong and this is actually supposed to work. Let me see if I can reproduce this.

Does your private key generally have this form, i.e. the text “ENCRYPTED” does not appear in the file:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDvWlhrGB
...
BMtSyiq+AScOPPbrkMZzOdqbo97JyO3hMe8Ha8bhuclZiM0qWg
-----END OPENSSH PRIVATE KEY-----

yes

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDhcfJyqT
...
bJ0OpWgK8iMTerZJ6IG2RArrzSO46w4dkuujh5NBZ9v+HXznCEAuJhSfhIfJ9Cxl+a3VuB
4MaLcXHYKeT07Ej9u7azQqwpIsAfc=
-----END OPENSSH PRIVATE KEY-----

I filed this upstream as https://secure.phabricator.com/T13454. See that task for more details.

This should be fixed by https://secure.phabricator.com/D20905.

Thanks for the report!

1 Like