#1039 new defect

Keys with passphrases for SFTP — at Version 14

Reported by: josipl Owned by: nobody
Priority: minor Milestone: undecided
Component: code-frontend-ftp-sftp Version: 1.6.1
Keywords: sftp security Cc:
Launchpad Bug:

Description (last modified by warner)

Currently ssh keys with passphareses raise following exception: twisted.conch.ssh.keys.EncryptedKeyError: encrypted key with no passphrase

Twisted has support for passphrases but currently there is no way in Tahoe-LAFS to acquire the passphrase from user.

The solution for now is just to generate keys without a passphrase, even though source:docs/frontends/FTP-and-SFTP.txt suggests otherwise.

Change History (16)

comment:1 Changed at 2010-05-14T00:08:40Z by davidsarah

  • Description modified (diff)
  • Keywords docs added

comment:2 Changed at 2010-05-14T00:12:13Z by davidsarah

FTP-and-SFTP.txt doesn't actually suggest otherwise, but I can see how the current wording could be confusing (it is actually referring to user passwords, not the passphrase of the server private key).

comment:3 Changed at 2010-05-14T00:17:38Z by warner

Server-side keys don't generally have passphrases. When they do, things like sshd can't start up by themselves. The usual linux distributions creates passphraseless keys in /etc/ssh/ssh_host_dsa_key at install time.

I think it's perfectly fine to have Tahoe's SFTP server refuse to use passphrase'd server keys. And yeah, the docs should encourage this by showing an example of running 'ssh-keygen' without providing a passphrase.

comment:4 Changed at 2010-05-16T21:16:53Z by davidsarah

  • Milestone changed from 1.8.0 to 1.7.0
  • Owner set to davidsarah
  • Status changed from new to assigned

Milestone 1.7 to make the docs clear that this isn't supported; then we can decide whether to leave the ticket open or wontfix it.

Changed at 2010-06-19T00:30:08Z by davidsarah

FTP-and-SFTP.txt: remove description of public key format that is not actually implemented. Document that SFTP does not support server private keys with passphrases, and that FTP cannot list directories containing mutable files.

comment:5 Changed at 2010-06-19T00:30:50Z by davidsarah

  • Keywords review-needed added
  • Owner changed from davidsarah to kevan
  • Status changed from assigned to new

Changed at 2010-06-19T00:57:09Z by davidsarah

Update to previous patch adding a 'Known Issues' section

comment:6 Changed at 2010-06-19T01:08:54Z by kevan

The updated patch looks good to me; I like the known issues section.

comment:7 Changed at 2010-06-19T01:09:45Z by kevan

  • Keywords reviewed added; review-needed removed
  • Owner changed from kevan to davidsarah

comment:8 Changed at 2010-06-19T03:49:26Z by davidsarah

  • Milestone changed from 1.7.0 to undecided
  • Owner changed from davidsarah to nobody

Doc patches applied in e05c6c2c7d25db66 and 29a9059c94eef955.

comment:9 Changed at 2010-06-19T03:49:40Z by davidsarah

  • Keywords reviewed removed

comment:10 Changed at 2010-10-09T23:06:08Z by davidsarah

  • Priority changed from major to minor

Demoting this to minor; I have no plans to support server-side keys with passphrases, and there's lots more important stuff to do.

comment:11 Changed at 2012-05-06T23:26:30Z by marlowe

  • Owner changed from nobody to marlowe
  • Status changed from new to assigned

comment:12 Changed at 2012-05-07T00:13:51Z by marlowe

  • Owner changed from marlowe to nobody
  • Status changed from assigned to new

comment:13 Changed at 2012-05-07T00:16:48Z by davidsarah

  • Description modified (diff)
  • Keywords docs removed

comment:14 Changed at 2014-12-02T19:52:12Z by warner

  • Component changed from code-frontend to code-frontend-ftp-sftp
  • Description modified (diff)
Note: See TracTickets for help on using tickets.