phpseclib

phpseclib

Member Since 9 years ago

United States of America

Experience Points
0
follower
Lessons Completed
0
follow
Best Reply Awards
12
repos
Activity
Jan
24
6 hours ago
Activity icon
issue

raghuveer issue comment phpseclib/phpseclib

raghuveer
raghuveer

Are keys based on Ed25519 supported in PHPSecLib v3.0.12?

Hi,

While I started implementing RSA 2048 bit keys in old format for key based authentication through phpseclib, I wanted to know if we can use Ed25519 algorithm through phpseclib, since I read in few places that Ed25519 based keys are generated as per new OpenSSH private key format.

https://security.stackexchange.com/a/144044 https://stribika.github.io/2015/01/04/secure-secure-shell.html

//key generation in OLD OpenSSH private format for RSA ssh-keygen -f ~/.ssh/my_key_rsa -t rsa -b 4096 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

//key generation in NEW OpenSSH private format for ed25519 ssh-keygen -f ~/.ssh/my_key_ed25519 -t ed25519 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

  1. since I read in one of the github issues (https://github.com/phpseclib/phpseclib/issues/1686#issuecomment-899528494) of phpseclib that phpseclib supports elliptic curves, please share if we can use ed25519 keys that are generated using above ssh-keygen command.

  2. Also tell me, if "rounds of key derivations" is accepted to be 100 or we need to reduce that number when generating either RSA or ED25519 keys for phpseclib usage?

  3. One other query is that, if we can use RSA 4096 bit keys for older systems like RHEL 6/CentOS 6 and RHEL 7/CentOS 7 kind of?

please share your inputs

Thank you

raghuveer
raghuveer

ED25519 algorithm worked without passphrase, as you posted earlier,

key generation: ssh-keygen -f /home/cccv3/.ssh/test3ed25519withoutpass.pem -t ed25519 -q -m pkcs8

in phpseclib: $key = \phpseclib3\Crypt\PublicKeyLoader::load(file_get_contents('/home/cccv3/.ssh/test3ed25519withoutpass.pem'), '');

signature started with: -----BEGIN OPENSSH PRIVATE KEY-----

Jan
23
1 day ago
pull request

nguyentranchung pull request phpseclib/phpseclib

nguyentranchung
nguyentranchung

Infinite loop error when logging in

Screen Shot 2022-01-24 at 8 54 41

Report Bug:

  • The server only allows login with private key.
  • When I login with a password, for example:
$ssh = new SSH2($ip, $port);
$ssh->login($username, 'my_password');

Line 2191: Now the value of $args is array('my_password') The code will run down to 2200 line (server refuses to login with a password, Public Key requirements) Line 2201: The value $arg is 'my_password', not the instance of PrivateKey or Agent So break in line 2207, up to now, count($args) is still 1 and the loop continues to be infinite

Activity icon
fork

nguyentranchung forked phpseclib/phpseclib

⚡ PHP Secure Communications Library
nguyentranchung MIT License Updated
fork time in 6 hours ago
Activity icon
issue

jagermesh issue phpseclib/phpseclib

jagermesh
jagermesh

SFTP: Connection closed prematurely

I'm having problem with SFTP connection via login/password (not the key) after upgrading to version 3. It was working fine in version 2.

$sftp= new SFTP($hostName, $port);
$sftp->login($userName, $password);

Call stack

phpseclib3\Net\SSH2->send_binary_packet('.......');
    in vendor/phpseclib/phpseclib/phpseclib/Net/SSH2.php, 1724
phpseclib3\Net\SSH2->key_exchange();
    in vendor/phpseclib/phpseclib/phpseclib/Net/SSH2.php, 1420
phpseclib3\Net\SSH2->connect();
    in vendor/phpseclib/phpseclib/phpseclib/Net/SSH2.php, 2167
phpseclib3\Net\SSH2->sublogin('XXXXXX');
    in vendor/phpseclib/phpseclib/phpseclib/Net/SSH2.php, 2145

Logs

00000000  53:53:48:2d:32:2e:30:2d:4f:70:65:6e:53:53:48:5f  SSH-2.0-OpenSSH_
00000010  36:2e:32:0d:0a                                   6.2..

->
00000000  53:53:48:2d:32:2e:30:2d:70:68:70:73:65:63:6c:69  SSH-2.0-phpsecli
00000010  62:5f:33:2e:30:20:28:6c:69:62:73:6f:64:69:75:6d  b_3.0 (libsodium
00000020  2c:20:6f:70:65:6e:73:73:6c:2c:20:67:6d:70:29:0d  , openssl, gmp).
00000030  0a                                               .

-> NET_SSH2_MSG_KEXINIT (since last: 0.1268, network: 0s)
00000000  76:d0:bb:ef:7c:12:26:28:74:e3:71:3a:97:e9:bc:97  v...|.&(t.q:....
00000010  00:00:01:7c:63:75:72:76:65:32:35:35:31:39:2d:73  ...|curve25519-s
00000020  68:61:32:35:36:2c:63:75:72:76:65:32:35:35:31:39  ha256,curve25519
00000030  2d:73:68:61:32:35:36:40:6c:69:62:73:73:68:2e:6f  [email protected]
00000040  72:67:2c:65:63:64:68:2d:73:68:61:32:2d:6e:69:73  rg,ecdh-sha2-nis
00000050  74:70:32:35:36:2c:65:63:64:68:2d:73:68:61:32:2d  tp256,ecdh-sha2-
00000060  6e:69:73:74:70:33:38:34:2c:65:63:64:68:2d:73:68  nistp384,ecdh-sh
00000070  61:32:2d:6e:69:73:74:70:35:32:31:2c:64:69:66:66  a2-nistp521,diff
00000080  69:65:2d:68:65:6c:6c:6d:61:6e:2d:67:72:6f:75:70  ie-hellman-group
00000090  2d:65:78:63:68:61:6e:67:65:2d:73:68:61:32:35:36  -exchange-sha256
000000a0  2c:64:69:66:66:69:65:2d:68:65:6c:6c:6d:61:6e:2d  ,diffie-hellman-
000000b0  67:72:6f:75:70:2d:65:78:63:68:61:6e:67:65:2d:73  group-exchange-s
000000c0  68:61:31:2c:64:69:66:66:69:65:2d:68:65:6c:6c:6d  ha1,diffie-hellm
000000d0  61:6e:2d:67:72:6f:75:70:31:34:2d:73:68:61:32:35  an-group14-sha25
000000e0  36:2c:64:69:66:66:69:65:2d:68:65:6c:6c:6d:61:6e  6,diffie-hellman
000000f0  2d:67:72:6f:75:70:31:34:2d:73:68:61:31:2c:64:69  -group14-sha1,di
00000100  66:66:69:65:2d:68:65:6c:6c:6d:61:6e:2d:67:72:6f  ffie-hellman-gro
00000110  75:70:31:35:2d:73:68:61:35:31:32:2c:64:69:66:66  up15-sha512,diff
00000120  69:65:2d:68:65:6c:6c:6d:61:6e:2d:67:72:6f:75:70  ie-hellman-group
00000130  31:36:2d:73:68:61:35:31:32:2c:64:69:66:66:69:65  16-sha512,diffie
00000140  2d:68:65:6c:6c:6d:61:6e:2d:67:72:6f:75:70:31:37  -hellman-group17
00000150  2d:73:68:61:35:31:32:2c:64:69:66:66:69:65:2d:68  -sha512,diffie-h
00000160  65:6c:6c:6d:61:6e:2d:67:72:6f:75:70:31:38:2d:73  ellman-group18-s
00000170  68:61:35:31:32:2c:64:69:66:66:69:65:2d:68:65:6c  ha512,diffie-hel
00000180  6c:6d:61:6e:2d:67:72:6f:75:70:31:2d:73:68:61:31  lman-group1-sha1
00000190  00:00:00:71:73:73:68:2d:65:64:32:35:35:31:39:2c  ...qssh-ed25519,
000001a0  65:63:64:73:61:2d:73:68:61:32:2d:6e:69:73:74:70  ecdsa-sha2-nistp
000001b0  32:35:36:2c:65:63:64:73:61:2d:73:68:61:32:2d:6e  256,ecdsa-sha2-n
000001c0  69:73:74:70:33:38:34:2c:65:63:64:73:61:2d:73:68  istp384,ecdsa-sh
000001d0  61:32:2d:6e:69:73:74:70:35:32:31:2c:72:73:61:2d  a2-nistp521,rsa-
000001e0  73:68:61:32:2d:32:35:36:2c:72:73:61:2d:73:68:61  sha2-256,rsa-sha
000001f0  32:2d:35:31:32:2c:73:73:68:2d:72:73:61:2c:73:73  2-512,ssh-rsa,ss
00000200  68:2d:64:73:73:00:00:01:01:61:65:73:31:32:38:2d  h-dss....aes128-
00000210  67:63:6d:40:6f:70:65:6e:73:73:68:2e:63:6f:6d:2c  [email protected],
00000220  61:65:73:32:35:36:2d:67:63:6d:40:6f:70:65:6e:73  [email protected]
00000230  73:68:2e:63:6f:6d:2c:61:65:73:31:32:38:2d:63:74  sh.com,aes128-ct
00000240  72:2c:61:65:73:31:39:32:2d:63:74:72:2c:61:65:73  r,aes192-ctr,aes
00000250  32:35:36:2d:63:74:72:2c:61:65:73:31:32:38:2d:63  256-ctr,aes128-c
00000260  62:63:2c:61:65:73:31:39:32:2d:63:62:63:2c:61:65  bc,aes192-cbc,ae
00000270  73:32:35:36:2d:63:62:63:2c:62:6c:6f:77:66:69:73  s256-cbc,blowfis
00000280  68:2d:63:74:72:2c:62:6c:6f:77:66:69:73:68:2d:63  h-ctr,blowfish-c
00000290  62:63:2c:33:64:65:73:2d:63:74:72:2c:33:64:65:73  bc,3des-ctr,3des
000002a0  2d:63:62:63:2c:74:77:6f:66:69:73:68:31:32:38:2d  -cbc,twofish128-
000002b0  63:74:72:2c:74:77:6f:66:69:73:68:31:39:32:2d:63  ctr,twofish192-c
000002c0  74:72:2c:74:77:6f:66:69:73:68:32:35:36:2d:63:74  tr,twofish256-ct
000002d0  72:2c:74:77:6f:66:69:73:68:31:32:38:2d:63:62:63  r,twofish128-cbc
000002e0  2c:74:77:6f:66:69:73:68:31:39:32:2d:63:62:63:2c  ,twofish192-cbc,
000002f0  74:77:6f:66:69:73:68:32:35:36:2d:63:62:63:2c:74  twofish256-cbc,t
00000300  77:6f:66:69:73:68:2d:63:62:63:00:00:01:01:61:65  wofish-cbc....ae
00000310  73:31:32:38:2d:67:63:6d:40:6f:70:65:6e:73:73:68  [email protected]
00000320  2e:63:6f:6d:2c:61:65:73:32:35:36:2d:67:63:6d:40  .com,[email protected]
00000330  6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:61:65:73:31  openssh.com,aes1
00000340  32:38:2d:63:74:72:2c:61:65:73:31:39:32:2d:63:74  28-ctr,aes192-ct
00000350  72:2c:61:65:73:32:35:36:2d:63:74:72:2c:61:65:73  r,aes256-ctr,aes
00000360  31:32:38:2d:63:62:63:2c:61:65:73:31:39:32:2d:63  128-cbc,aes192-c
00000370  62:63:2c:61:65:73:32:35:36:2d:63:62:63:2c:62:6c  bc,aes256-cbc,bl
00000380  6f:77:66:69:73:68:2d:63:74:72:2c:62:6c:6f:77:66  owfish-ctr,blowf
00000390  69:73:68:2d:63:62:63:2c:33:64:65:73:2d:63:74:72  ish-cbc,3des-ctr
000003a0  2c:33:64:65:73:2d:63:62:63:2c:74:77:6f:66:69:73  ,3des-cbc,twofis
000003b0  68:31:32:38:2d:63:74:72:2c:74:77:6f:66:69:73:68  h128-ctr,twofish
000003c0  31:39:32:2d:63:74:72:2c:74:77:6f:66:69:73:68:32  192-ctr,twofish2
000003d0  35:36:2d:63:74:72:2c:74:77:6f:66:69:73:68:31:32  56-ctr,twofish12
000003e0  38:2d:63:62:63:2c:74:77:6f:66:69:73:68:31:39:32  8-cbc,twofish192
000003f0  2d:63:62:63:2c:74:77:6f:66:69:73:68:32:35:36:2d  -cbc,twofish256-
00000400  63:62:63:2c:74:77:6f:66:69:73:68:2d:63:62:63:00  cbc,twofish-cbc.
00000410  00:00:f7:68:6d:61:63:2d:73:68:61:32:2d:32:35:36  ...hmac-sha2-256
00000420  2d:65:74:6d:40:6f:70:65:6e:73:73:68:2e:63:6f:6d  [email protected]
00000430  2c:68:6d:61:63:2d:73:68:61:32:2d:35:31:32:2d:65  ,hmac-sha2-512-e
00000440  74:6d:40:6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:75  [email protected],u
00000450  6d:61:63:2d:36:34:2d:65:74:6d:40:6f:70:65:6e:73  [email protected]
00000460  73:68:2e:63:6f:6d:2c:75:6d:61:63:2d:31:32:38:2d  sh.com,umac-128-
00000470  65:74:6d:40:6f:70:65:6e:73:73:68:2e:63:6f:6d:2c  [email protected],
00000480  68:6d:61:63:2d:73:68:61:31:2d:65:74:6d:40:6f:70  [email protected]
00000490  65:6e:73:73:68:2e:63:6f:6d:2c:68:6d:61:63:2d:73  enssh.com,hmac-s
000004a0  68:61:32:2d:32:35:36:2c:68:6d:61:63:2d:73:68:61  ha2-256,hmac-sha
000004b0  32:2d:35:31:32:2c:75:6d:61:63:2d:36:34:40:6f:70  2-512,[email protected]
000004c0  65:6e:73:73:68:2e:63:6f:6d:2c:75:6d:61:63:2d:31  enssh.com,umac-1
000004d0  32:38:40:6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:68  [email protected],h
000004e0  6d:61:63:2d:73:68:61:31:2d:39:36:2c:68:6d:61:63  mac-sha1-96,hmac
000004f0  2d:73:68:61:31:2c:68:6d:61:63:2d:6d:64:35:2d:39  -sha1,hmac-md5-9
00000500  36:2c:68:6d:61:63:2d:6d:64:35:00:00:00:f7:68:6d  6,hmac-md5....hm
00000510  61:63:2d:73:68:61:32:2d:32:35:36:2d:65:74:6d:40  [email protected]
00000520  6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:68:6d:61:63  openssh.com,hmac
00000530  2d:73:68:61:32:2d:35:31:32:2d:65:74:6d:40:6f:70  [email protected]
00000540  65:6e:73:73:68:2e:63:6f:6d:2c:75:6d:61:63:2d:36  enssh.com,umac-6
00000550  34:2d:65:74:6d:40:6f:70:65:6e:73:73:68:2e:63:6f  [email protected]
00000560  6d:2c:75:6d:61:63:2d:31:32:38:2d:65:74:6d:40:6f  m,[email protected]
00000570  70:65:6e:73:73:68:2e:63:6f:6d:2c:68:6d:61:63:2d  penssh.com,hmac-
00000580  73:68:61:31:2d:65:74:6d:40:6f:70:65:6e:73:73:68  [email protected]
00000590  2e:63:6f:6d:2c:68:6d:61:63:2d:73:68:61:32:2d:32  .com,hmac-sha2-2
000005a0  35:36:2c:68:6d:61:63:2d:73:68:61:32:2d:35:31:32  56,hmac-sha2-512
000005b0  2c:75:6d:61:63:2d:36:34:40:6f:70:65:6e:73:73:68  ,[email protected]
000005c0  2e:63:6f:6d:2c:75:6d:61:63:2d:31:32:38:40:6f:70  .com,[email protected]
000005d0  65:6e:73:73:68:2e:63:6f:6d:2c:68:6d:61:63:2d:73  enssh.com,hmac-s
000005e0  68:61:31:2d:39:36:2c:68:6d:61:63:2d:73:68:61:31  ha1-96,hmac-sha1
000005f0  2c:68:6d:61:63:2d:6d:64:35:2d:39:36:2c:68:6d:61  ,hmac-md5-96,hma
00000600  63:2d:6d:64:35:00:00:00:1a:6e:6f:6e:65:2c:7a:6c  c-md5....none,zl
00000610  69:62:40:6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:7a  [email protected],z
00000620  6c:69:62:00:00:00:1a:6e:6f:6e:65:2c:7a:6c:69:62  lib....none,zlib
00000630  40:6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:7a:6c:69  @openssh.com,zli
00000640  62:00:00:00:00:00:00:00:00:00:00:00:00:00        b.............

<- NET_SSH2_MSG_KEXINIT (since last: 0.0415, network: 0.0415s)
00000000  79:ca:af:fb:dd:2a:17:2d:e9:6b:0e:28:51:64:45:a2  y....*.-.k.(QdE.
00000010  00:00:00:b7:65:63:64:68:2d:73:68:61:32:2d:6e:69  ....ecdh-sha2-ni
00000020  73:74:70:32:35:36:2c:65:63:64:68:2d:73:68:61:32  stp256,ecdh-sha2
00000030  2d:6e:69:73:74:70:33:38:34:2c:65:63:64:68:2d:73  -nistp384,ecdh-s
00000040  68:61:32:2d:6e:69:73:74:70:35:32:31:2c:64:69:66  ha2-nistp521,dif
00000050  66:69:65:2d:68:65:6c:6c:6d:61:6e:2d:67:72:6f:75  fie-hellman-grou
00000060  70:2d:65:78:63:68:61:6e:67:65:2d:73:68:61:32:35  p-exchange-sha25
00000070  36:2c:64:69:66:66:69:65:2d:68:65:6c:6c:6d:61:6e  6,diffie-hellman
00000080  2d:67:72:6f:75:70:2d:65:78:63:68:61:6e:67:65:2d  -group-exchange-
00000090  73:68:61:31:2c:64:69:66:66:69:65:2d:68:65:6c:6c  sha1,diffie-hell
000000a0  6d:61:6e:2d:67:72:6f:75:70:31:34:2d:73:68:61:31  man-group14-sha1
000000b0  2c:64:69:66:66:69:65:2d:68:65:6c:6c:6d:61:6e:2d  ,diffie-hellman-
000000c0  67:72:6f:75:70:31:2d:73:68:61:31:00:00:00:23:73  group1-sha1...#s
000000d0  73:68:2d:72:73:61:2c:73:73:68:2d:64:73:73:2c:65  sh-rsa,ssh-dss,e
000000e0  63:64:73:61:2d:73:68:61:32:2d:6e:69:73:74:70:32  cdsa-sha2-nistp2
000000f0  35:36:00:00:00:cb:61:65:73:31:32:38:2d:63:74:72  56....aes128-ctr
00000100  2c:61:65:73:31:39:32:2d:63:74:72:2c:61:65:73:32  ,aes192-ctr,aes2
00000110  35:36:2d:63:74:72:2c:61:72:63:66:6f:75:72:32:35  56-ctr,arcfour25
00000120  36:2c:61:72:63:66:6f:75:72:31:32:38:2c:61:65:73  6,arcfour128,aes
00000130  31:32:38:2d:67:63:6d:40:6f:70:65:6e:73:73:68:2e  [email protected]
00000140  63:6f:6d:2c:61:65:73:32:35:36:2d:67:63:6d:40:6f  com,[email protected]
00000150  70:65:6e:73:73:68:2e:63:6f:6d:2c:61:65:73:31:32  penssh.com,aes12
00000160  38:2d:63:62:63:2c:33:64:65:73:2d:63:62:63:2c:62  8-cbc,3des-cbc,b
00000170  6c:6f:77:66:69:73:68:2d:63:62:63:2c:63:61:73:74  lowfish-cbc,cast
00000180  31:32:38:2d:63:62:63:2c:61:65:73:31:39:32:2d:63  128-cbc,aes192-c
00000190  62:63:2c:61:65:73:32:35:36:2d:63:62:63:2c:61:72  bc,aes256-cbc,ar
000001a0  63:66:6f:75:72:2c:72:69:6a:6e:64:61:65:6c:2d:63  cfour,rijndael-c
000001b0  62:63:40:6c:79:73:61:74:6f:72:2e:6c:69:75:2e:73  [email protected]
000001c0  65:00:00:00:cb:61:65:73:31:32:38:2d:63:74:72:2c  e....aes128-ctr,
000001d0  61:65:73:31:39:32:2d:63:74:72:2c:61:65:73:32:35  aes192-ctr,aes25
000001e0  36:2d:63:74:72:2c:61:72:63:66:6f:75:72:32:35:36  6-ctr,arcfour256
000001f0  2c:61:72:63:66:6f:75:72:31:32:38:2c:61:65:73:31  ,arcfour128,aes1
00000200  32:38:2d:67:63:6d:40:6f:70:65:6e:73:73:68:2e:63  [email protected]
00000210  6f:6d:2c:61:65:73:32:35:36:2d:67:63:6d:40:6f:70  om,[email protected]
00000220  65:6e:73:73:68:2e:63:6f:6d:2c:61:65:73:31:32:38  enssh.com,aes128
00000230  2d:63:62:63:2c:33:64:65:73:2d:63:62:63:2c:62:6c  -cbc,3des-cbc,bl
00000240  6f:77:66:69:73:68:2d:63:62:63:2c:63:61:73:74:31  owfish-cbc,cast1
00000250  32:38:2d:63:62:63:2c:61:65:73:31:39:32:2d:63:62  28-cbc,aes192-cb
00000260  63:2c:61:65:73:32:35:36:2d:63:62:63:2c:61:72:63  c,aes256-cbc,arc
00000270  66:6f:75:72:2c:72:69:6a:6e:64:61:65:6c:2d:63:62  four,rijndael-cb
00000280  63:40:6c:79:73:61:74:6f:72:2e:6c:69:75:2e:73:65  [email protected]
00000290  00:00:01:92:68:6d:61:63:2d:6d:64:35:2d:65:74:6d  ....hmac-md5-etm
000002a0  40:6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:68:6d:61  @openssh.com,hma
000002b0  63:2d:73:68:61:31:2d:65:74:6d:40:6f:70:65:6e:73  [email protected]
000002c0  73:68:2e:63:6f:6d:2c:75:6d:61:63:2d:36:34:2d:65  sh.com,umac-64-e
000002d0  74:6d:40:6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:75  [email protected],u
000002e0  6d:61:63:2d:31:32:38:2d:65:74:6d:40:6f:70:65:6e  [email protected]
000002f0  73:73:68:2e:63:6f:6d:2c:68:6d:61:63:2d:73:68:61  ssh.com,hmac-sha
00000300  32:2d:32:35:36:2d:65:74:6d:40:6f:70:65:6e:73:73  [email protected]
00000310  68:2e:63:6f:6d:2c:68:6d:61:63:2d:73:68:61:32:2d  h.com,hmac-sha2-
00000320  35:31:32:2d:65:74:6d:40:6f:70:65:6e:73:73:68:2e  [email protected]
00000330  63:6f:6d:2c:68:6d:61:63:2d:72:69:70:65:6d:64:31  com,hmac-ripemd1
00000340  36:30:2d:65:74:6d:40:6f:70:65:6e:73:73:68:2e:63  [email protected]
00000350  6f:6d:2c:68:6d:61:63:2d:73:68:61:31:2d:39:36:2d  om,hmac-sha1-96-
00000360  65:74:6d:40:6f:70:65:6e:73:73:68:2e:63:6f:6d:2c  [email protected],
00000370  68:6d:61:63:2d:6d:64:35:2d:39:36:2d:65:74:6d:40  [email protected]
00000380  6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:68:6d:61:63  openssh.com,hmac
00000390  2d:6d:64:35:2c:68:6d:61:63:2d:73:68:61:31:2c:75  -md5,hmac-sha1,u
000003a0  6d:61:63:2d:36:34:40:6f:70:65:6e:73:73:68:2e:63  [email protected]
000003b0  6f:6d:2c:75:6d:61:63:2d:31:32:38:40:6f:70:65:6e  om,[email protected]
000003c0  73:73:68:2e:63:6f:6d:2c:68:6d:61:63:2d:73:68:61  ssh.com,hmac-sha
000003d0  32:2d:32:35:36:2c:68:6d:61:63:2d:73:68:61:32:2d  2-256,hmac-sha2-
000003e0  35:31:32:2c:68:6d:61:63:2d:72:69:70:65:6d:64:31  512,hmac-ripemd1
000003f0  36:30:2c:68:6d:61:63:2d:72:69:70:65:6d:64:31:36  60,hmac-ripemd16
00000400  30:40:6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:68:6d  [email protected],hm
00000410  61:63:2d:73:68:61:31:2d:39:36:2c:68:6d:61:63:2d  ac-sha1-96,hmac-
00000420  6d:64:35:2d:39:36:00:00:01:92:68:6d:61:63:2d:6d  md5-96....hmac-m
00000430  64:35:2d:65:74:6d:40:6f:70:65:6e:73:73:68:2e:63  [email protected]
00000440  6f:6d:2c:68:6d:61:63:2d:73:68:61:31:2d:65:74:6d  om,hmac-sha1-etm
00000450  40:6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:75:6d:61  @openssh.com,uma
00000460  63:2d:36:34:2d:65:74:6d:40:6f:70:65:6e:73:73:68  [email protected]
00000470  2e:63:6f:6d:2c:75:6d:61:63:2d:31:32:38:2d:65:74  .com,umac-128-et
00000480  6d:40:6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:68:6d  [email protected],hm
00000490  61:63:2d:73:68:61:32:2d:32:35:36:2d:65:74:6d:40  [email protected]
000004a0  6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:68:6d:61:63  openssh.com,hmac
000004b0  2d:73:68:61:32:2d:35:31:32:2d:65:74:6d:40:6f:70  [email protected]
000004c0  65:6e:73:73:68:2e:63:6f:6d:2c:68:6d:61:63:2d:72  enssh.com,hmac-r
000004d0  69:70:65:6d:64:31:36:30:2d:65:74:6d:40:6f:70:65  [email protected]
000004e0  6e:73:73:68:2e:63:6f:6d:2c:68:6d:61:63:2d:73:68  nssh.com,hmac-sh
000004f0  61:31:2d:39:36:2d:65:74:6d:40:6f:70:65:6e:73:73  [email protected]
00000500  68:2e:63:6f:6d:2c:68:6d:61:63:2d:6d:64:35:2d:39  h.com,hmac-md5-9
00000510  36:2d:65:74:6d:40:6f:70:65:6e:73:73:68:2e:63:6f  [email protected]
00000520  6d:2c:68:6d:61:63:2d:6d:64:35:2c:68:6d:61:63:2d  m,hmac-md5,hmac-
00000530  73:68:61:31:2c:75:6d:61:63:2d:36:34:40:6f:70:65  sha1,[email protected]
00000540  6e:73:73:68:2e:63:6f:6d:2c:75:6d:61:63:2d:31:32  nssh.com,umac-12
00000550  38:40:6f:70:65:6e:73:73:68:2e:63:6f:6d:2c:68:6d  [email protected],hm
00000560  61:63:2d:73:68:61:32:2d:32:35:36:2c:68:6d:61:63  ac-sha2-256,hmac
00000570  2d:73:68:61:32:2d:35:31:32:2c:68:6d:61:63:2d:72  -sha2-512,hmac-r
00000580  69:70:65:6d:64:31:36:30:2c:68:6d:61:63:2d:72:69  ipemd160,hmac-ri
00000590  70:65:6d:64:31:36:30:40:6f:70:65:6e:73:73:68:2e  [email protected]
000005a0  63:6f:6d:2c:68:6d:61:63:2d:73:68:61:31:2d:39:36  com,hmac-sha1-96
000005b0  2c:68:6d:61:63:2d:6d:64:35:2d:39:36:00:00:00:15  ,hmac-md5-96....
000005c0  6e:6f:6e:65:2c:7a:6c:69:62:40:6f:70:65:6e:73:73  none,[email protected]
000005d0  68:2e:63:6f:6d:00:00:00:15:6e:6f:6e:65:2c:7a:6c  h.com....none,zl
000005e0  69:62:40:6f:70:65:6e:73:73:68:2e:63:6f:6d:00:00  [email protected]
000005f0  00:00:00:00:00:00:00:00:00:00:00                 ...........

Any help will be appreciated...

Activity icon
issue

terrafrost issue comment phpseclib/phpseclib

terrafrost
terrafrost

Are keys based on Ed25519 supported in PHPSecLib v3.0.12?

Hi,

While I started implementing RSA 2048 bit keys in old format for key based authentication through phpseclib, I wanted to know if we can use Ed25519 algorithm through phpseclib, since I read in few places that Ed25519 based keys are generated as per new OpenSSH private key format.

https://security.stackexchange.com/a/144044 https://stribika.github.io/2015/01/04/secure-secure-shell.html

//key generation in OLD OpenSSH private format for RSA ssh-keygen -f ~/.ssh/my_key_rsa -t rsa -b 4096 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

//key generation in NEW OpenSSH private format for ed25519 ssh-keygen -f ~/.ssh/my_key_ed25519 -t ed25519 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

  1. since I read in one of the github issues (https://github.com/phpseclib/phpseclib/issues/1686#issuecomment-899528494) of phpseclib that phpseclib supports elliptic curves, please share if we can use ed25519 keys that are generated using above ssh-keygen command.

  2. Also tell me, if "rounds of key derivations" is accepted to be 100 or we need to reduce that number when generating either RSA or ED25519 keys for phpseclib usage?

  3. One other query is that, if we can use RSA 4096 bit keys for older systems like RHEL 6/CentOS 6 and RHEL 7/CentOS 7 kind of?

please share your inputs

Thank you

terrafrost
terrafrost

libsodium won't help with encrypted OpenSSH keys. I elaborate here:

https://github.com/phpseclib/phpseclib/blob/13b5ad9593072f1b2eca9047af722025e4590849/phpseclib/Crypt/Common/Formats/Keys/OpenSSH.php#L95-L120

TLDR OpenSSH customized bcrypt in a non-standardized way so you either need to do this in pure-PHP or you don't do it. Well I mean I guess you could use ssh-keygen to remove the PW via exec() calls but short of that there's not a ton that can be done

Activity icon
fork

cs-joy forked phpseclib/phpseclib

⚡ PHP Secure Communications Library
cs-joy MIT License Updated
fork time in 11 hours ago
started
started time in 11 hours ago
Activity icon
issue

raghuveer issue comment phpseclib/phpseclib

raghuveer
raghuveer

Are keys based on Ed25519 supported in PHPSecLib v3.0.12?

Hi,

While I started implementing RSA 2048 bit keys in old format for key based authentication through phpseclib, I wanted to know if we can use Ed25519 algorithm through phpseclib, since I read in few places that Ed25519 based keys are generated as per new OpenSSH private key format.

https://security.stackexchange.com/a/144044 https://stribika.github.io/2015/01/04/secure-secure-shell.html

//key generation in OLD OpenSSH private format for RSA ssh-keygen -f ~/.ssh/my_key_rsa -t rsa -b 4096 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

//key generation in NEW OpenSSH private format for ed25519 ssh-keygen -f ~/.ssh/my_key_ed25519 -t ed25519 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

  1. since I read in one of the github issues (https://github.com/phpseclib/phpseclib/issues/1686#issuecomment-899528494) of phpseclib that phpseclib supports elliptic curves, please share if we can use ed25519 keys that are generated using above ssh-keygen command.

  2. Also tell me, if "rounds of key derivations" is accepted to be 100 or we need to reduce that number when generating either RSA or ED25519 keys for phpseclib usage?

  3. One other query is that, if we can use RSA 4096 bit keys for older systems like RHEL 6/CentOS 6 and RHEL 7/CentOS 7 kind of?

please share your inputs

Thank you

raghuveer
raghuveer

@terrafrost , tried RSA 4096 bit key, based on syntax shared by you for RSA key with passphrase scenario,

ssh-keygen -f /home/username/.ssh/test3rsa4096withpass.pem -t rsa -b 4096 -q -m pkcs8 -N password # with password

This worked.

please tell me, if we can handle ED25519 with passphrase in the scope of OpenSSH encrypted keys, if we use libsodium etc dependencies?

my apologies for asking this question in different scopes, the reasons are while RSA 4096 bit key with passphrase works for now, we might need to shift to ED25519 with passphrase in next few years and that time, we will be fine to install a required library on the server over thinking about alternatives with phpseclib offering good set of features, strictly in compliance and security perspective.

Please check and tell if we can leverage external dependencies, so those who require them will install those dependencies and rest of them use RSA keys with passphrase and kind of...

Thank you.

Activity icon
commit_comment

phpseclib/phpseclib

pull request

terrafrost pull request phpseclib/phpseclib

terrafrost
terrafrost

Corrected many @return annotations in phpseclib/Net

Many of the @return annotations in this project are unhelpful or just wrong. It makes integrating into a project that uses static analysis (psalm or phpstan) annoying.

If the maintainers are receptive to this kind of PR, I am willing to do more.

Activity icon
issue

terrafrost issue comment phpseclib/phpseclib

terrafrost
terrafrost

Corrected many @return annotations in phpseclib/Net

Many of the @return annotations in this project are unhelpful or just wrong. It makes integrating into a project that uses static analysis (psalm or phpstan) annoying.

If the maintainers are receptive to this kind of PR, I am willing to do more.

terrafrost
terrafrost
push

terrafrost push phpseclib/phpseclib

terrafrost
terrafrost

Corrected many @return annotations in phpseclib/Net

Corrected many @return annotations in phpseclib/Net

commit sha: a88b7e546e63c8bde3e8020bf2b73994b68accd0

push time in 13 hours ago
push

terrafrost push phpseclib/phpseclib

terrafrost
terrafrost

Corrected many @return annotations in phpseclib/Net

Corrected many @return annotations in phpseclib/Net

commit sha: 7c000843abbbdc9d3d514b12cf03c239d76c263d

push time in 13 hours ago
Jan
22
2 days ago
pull request

hc-jworman pull request phpseclib/phpseclib

hc-jworman
hc-jworman

Corrected many @return annotations in phpseclib/Net

Many of the @return annotations in this project are unhelpful or just wrong. It makes integrating into a project that uses static analysis annoying.

Activity icon
fork

hc-jworman forked phpseclib/phpseclib

⚡ PHP Secure Communications Library
hc-jworman MIT License Updated
fork time in 1 day ago
Activity icon
issue

terrafrost issue comment phpseclib/phpseclib

terrafrost
terrafrost

Are keys based on Ed25519 supported in PHPSecLib v3.0.12?

Hi,

While I started implementing RSA 2048 bit keys in old format for key based authentication through phpseclib, I wanted to know if we can use Ed25519 algorithm through phpseclib, since I read in few places that Ed25519 based keys are generated as per new OpenSSH private key format.

https://security.stackexchange.com/a/144044 https://stribika.github.io/2015/01/04/secure-secure-shell.html

//key generation in OLD OpenSSH private format for RSA ssh-keygen -f ~/.ssh/my_key_rsa -t rsa -b 4096 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

//key generation in NEW OpenSSH private format for ed25519 ssh-keygen -f ~/.ssh/my_key_ed25519 -t ed25519 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

  1. since I read in one of the github issues (https://github.com/phpseclib/phpseclib/issues/1686#issuecomment-899528494) of phpseclib that phpseclib supports elliptic curves, please share if we can use ed25519 keys that are generated using above ssh-keygen command.

  2. Also tell me, if "rounds of key derivations" is accepted to be 100 or we need to reduce that number when generating either RSA or ED25519 keys for phpseclib usage?

  3. One other query is that, if we can use RSA 4096 bit keys for older systems like RHEL 6/CentOS 6 and RHEL 7/CentOS 7 kind of?

please share your inputs

Thank you

terrafrost
terrafrost

I will try creating keys as per RSA and ED25519 algorithms based on commands you suggested above and see how that works with phpseclib.

Can we expect in future passphrase support for ED25519?

Probably never.

If you're willing to wait 30 seconds to 1 minute for a key to load, sure, I can do it - I can add passphrase support for encrypted OpenSSH keys (which is more broadly what you're asking for). But I doubt that taking 30s to 1m to load a private key is acceptable for you or anyone.

I mean, I can revisit it. Maybe there's something I missed last time. Maybe a fresh perspective would be beneficial. But that's a hail mary.

I included a code snippet discussing some of the technical challenges in an earlier post in this thread but here it is again:

https://github.com/phpseclib/phpseclib/blob/13b5ad9593072f1b2eca9047af722025e4590849/phpseclib/Crypt/Common/Formats/Keys/OpenSSH.php#L95-L120

Activity icon
issue

raghuveer issue comment phpseclib/phpseclib

raghuveer
raghuveer

Are keys based on Ed25519 supported in PHPSecLib v3.0.12?

Hi,

While I started implementing RSA 2048 bit keys in old format for key based authentication through phpseclib, I wanted to know if we can use Ed25519 algorithm through phpseclib, since I read in few places that Ed25519 based keys are generated as per new OpenSSH private key format.

https://security.stackexchange.com/a/144044 https://stribika.github.io/2015/01/04/secure-secure-shell.html

//key generation in OLD OpenSSH private format for RSA ssh-keygen -f ~/.ssh/my_key_rsa -t rsa -b 4096 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

//key generation in NEW OpenSSH private format for ed25519 ssh-keygen -f ~/.ssh/my_key_ed25519 -t ed25519 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

  1. since I read in one of the github issues (https://github.com/phpseclib/phpseclib/issues/1686#issuecomment-899528494) of phpseclib that phpseclib supports elliptic curves, please share if we can use ed25519 keys that are generated using above ssh-keygen command.

  2. Also tell me, if "rounds of key derivations" is accepted to be 100 or we need to reduce that number when generating either RSA or ED25519 keys for phpseclib usage?

  3. One other query is that, if we can use RSA 4096 bit keys for older systems like RHEL 6/CentOS 6 and RHEL 7/CentOS 7 kind of?

please share your inputs

Thank you

raghuveer
raghuveer

I will try creating keys as per RSA and ED25519 algorithms based on commands you suggested above and see how that works with phpseclib.

Can we expect in future passphrase support for ED25519?

I will post update after testing the above, thank you for your inputs @terrafrost

started
started time in 2 days ago
Jan
21
3 days ago
Activity icon
fork

chelexwe1812 forked phpseclib/phpseclib

⚡ PHP Secure Communications Library
chelexwe1812 MIT License Updated
fork time in 2 days ago
started
started time in 2 days ago
Activity icon
fork

reznikartem forked phpseclib/phpseclib

⚡ PHP Secure Communications Library
reznikartem MIT License Updated
fork time in 2 days ago
started
started time in 2 days ago
started
started time in 2 days ago
push

terrafrost push phpseclib/phpseclib.github.io

terrafrost
terrafrost

Deploy website

Deploy website version based on 5af2a793aad6c5c67c2c22f26016a4df42c950a5

commit sha: b880146845c8a1552ea23e44dea0e542be6ca0a6

push time in 3 days ago
push

terrafrost push phpseclib/phpseclib.github.io

terrafrost
terrafrost

add note about how OpenSSH only supports one format for Ed25519

commit sha: 5af2a793aad6c5c67c2c22f26016a4df42c950a5

push time in 3 days ago
Activity icon
issue

terrafrost issue comment phpseclib/phpseclib

terrafrost
terrafrost

Are keys based on Ed25519 supported in PHPSecLib v3.0.12?

Hi,

While I started implementing RSA 2048 bit keys in old format for key based authentication through phpseclib, I wanted to know if we can use Ed25519 algorithm through phpseclib, since I read in few places that Ed25519 based keys are generated as per new OpenSSH private key format.

https://security.stackexchange.com/a/144044 https://stribika.github.io/2015/01/04/secure-secure-shell.html

//key generation in OLD OpenSSH private format for RSA ssh-keygen -f ~/.ssh/my_key_rsa -t rsa -b 4096 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

//key generation in NEW OpenSSH private format for ed25519 ssh-keygen -f ~/.ssh/my_key_ed25519 -t ed25519 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

  1. since I read in one of the github issues (https://github.com/phpseclib/phpseclib/issues/1686#issuecomment-899528494) of phpseclib that phpseclib supports elliptic curves, please share if we can use ed25519 keys that are generated using above ssh-keygen command.

  2. Also tell me, if "rounds of key derivations" is accepted to be 100 or we need to reduce that number when generating either RSA or ED25519 keys for phpseclib usage?

  3. One other query is that, if we can use RSA 4096 bit keys for older systems like RHEL 6/CentOS 6 and RHEL 7/CentOS 7 kind of?

please share your inputs

Thank you

terrafrost
terrafrost

From https://www.openssh.com/txt/release-6.5:

 * Add a new private key format that uses a bcrypt KDF to better
   protect keys at rest. This format is used unconditionally for
   Ed25519 keys, but may be requested when generating or saving
   existing keys of other types via the -o ssh-keygen(1) option.
   We intend to make the new format the default in the near future.
   Details of the new format are in the PROTOCOL.key file.

No newer changelog entries discuss any change to this behavior so it looks like if you want to do Ed25519 with OpenSSH you have to use their format. Which means no password protection if you want to use phpseclib 😐

Activity icon
issue

terrafrost issue comment phpseclib/phpseclib

terrafrost
terrafrost

Are keys based on Ed25519 supported in PHPSecLib v3.0.12?

Hi,

While I started implementing RSA 2048 bit keys in old format for key based authentication through phpseclib, I wanted to know if we can use Ed25519 algorithm through phpseclib, since I read in few places that Ed25519 based keys are generated as per new OpenSSH private key format.

https://security.stackexchange.com/a/144044 https://stribika.github.io/2015/01/04/secure-secure-shell.html

//key generation in OLD OpenSSH private format for RSA ssh-keygen -f ~/.ssh/my_key_rsa -t rsa -b 4096 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

//key generation in NEW OpenSSH private format for ed25519 ssh-keygen -f ~/.ssh/my_key_ed25519 -t ed25519 -o -a 100 -q -N "chosen_passphrase" -l "Fingerprint"

  1. since I read in one of the github issues (https://github.com/phpseclib/phpseclib/issues/1686#issuecomment-899528494) of phpseclib that phpseclib supports elliptic curves, please share if we can use ed25519 keys that are generated using above ssh-keygen command.

  2. Also tell me, if "rounds of key derivations" is accepted to be 100 or we need to reduce that number when generating either RSA or ED25519 keys for phpseclib usage?

  3. One other query is that, if we can use RSA 4096 bit keys for older systems like RHEL 6/CentOS 6 and RHEL 7/CentOS 7 kind of?

please share your inputs

Thank you

terrafrost
terrafrost

Even if I remove the key derivations concept, can I generate ED25519 keys without encrypted OpenSSH key format?

Tried the following,

ssh-keygen -f test.pem -t ed25519 -q -N "chosen_passphrase"

Yah - unencrypted keys are supported. To do an unencrypted key remove the -N "chosen_passphrase" bit and when it gives you a Enter passphrase (empty for no passphrase): prompt then hit Enter.

You could also use PKCS8 by doing -m pkcs8 (or m pem) and then set a password (-N "chosen_passphrase") with a few caveats. This seems to work fine for RSA keys. eg.

ssh-keygen -f test.pem -t rsa -b 2048 -q -m pkcs8 # no password
ssh-keygen -f test3.pem -t rsa -b 2048 -q -m pkcs8 -N password # with password

This, however, does not appear to work with ed25519. At least not on OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020. Most likely because they're using the older RFC5208 Public-Key Cryptography Standards (PKCS) #8 instead of the newer RFC5958 Asymmetric Key Packages. The latter deprecates the former (RFC5958 says "Obsoletes: 5208" and RFC5208 says "Obsoleted by: 5958") but maybe OpenSSH never got the memo. phpseclib implements the RFC5958 - not RFC5208.

ie. ssh-keygen -f test3.pem -t ed25519 -q -m pkcs8 still generates an OpenSSH formatted key, even in-spite of the -m pkcs8. So I guess where ssh-keygen is concerned, just don't use encrypted Ed25519 keys or something...

Jan
20
4 days ago
started
started time in 3 days ago
Jan
19
5 days ago
started
started time in 4 days ago
Activity icon
issue

jealvin issue phpseclib/phpseclib

jealvin
jealvin

DES/CBC/NoPadding with key RC2

if its possible to write phpseclib from kotlin code like this

import android.util.Base64 import javax.crypto.Cipher import javax.crypto.spec.IvParameterSpec import javax.crypto.spec.SecretKeySpec

private fun decrypt(code:String) { val iv = byteArrayOf(1, 3, 5, 7, 9, 11, 13, 15) val key = byteArrayOf(101, 103, 105, 107, 109, 111, 113, 115) val skeySpec = SecretKeySpec(key, "RC2") val ivSpec = IvParameterSpec(iv) val cipher: Cipher = Cipher.getInstance("DES/CBC/NoPadding") cipher.init(Cipher.DECRYPT_MODE, skeySpec, ivSpec) val cipherText: ByteArray = Base64.decode(code, Base64.DEFAULT) var decrypted = String(cipher.doFinal(cipherText), charset = Charsets.UTF_8) println(decrypted) }

Previous