Not working unless private key is set to publicly read (chmod 0444)

[gidzr]

Hi

When using local SSH tunnelling with cli, private keys are not accepted unless set to owner read only, 0400.

I'm running phpseclib SSH with a privatekey for an AWS region target.

Phpseclib throws an access to file error unless I set the private file to public read 0444.
I also created a public key for the AWS private key using puttyGen, but phpseclib can't read it.

I don't think a private key should ever be set to be read publicly, so I'm not sure what's going on. Is it the intention of phpseclib to only work with a publicly readable private key?

I'm assuming the reading error of the key occurs because it needs to be loaded with php function file_get_contents(), and this function doesn't work on files that aren't 0444.

I've tried:

$key = PublicKeyLoader::loadPrivateKey(file_get_contents($localPrivateKeyPath)); //only loads with chmod 0444
$key = PublicKeyLoader::loadPrivateKey($localPrivateKeyPath); //error reading, doesn't work
$key = PublicKeyLoader::loadPublicKey(file_get_contents($localPublicKeyPath)); //error reading, doesn't work
$key = PublicKeyLoader::loadPublicKey($localPublicKeyPath); //error reading, doesn't work

Please advise.

[terrafrost]

In-so-far as the permissions go... if phpseclib is running as one user and the key was created by another use then that'd be why phpseclib can't read it with owner read only on they keyfile. To work around this you could do a number of things.

1. You could copy / paste the keyfile's contents into the PHP file as a string and then pass the string to to PublicKeyLoader.
2. You could make PHP run as the same user as the key is owned by
3. You could put the key and the user that PHP is running as into the same group and then enable group read vs just public read.
4. You could use ssh-agent to get store and retrieve the key

As for phpseclib not being able to read a PuTTY key... it supports both of these styles of keys:

PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: phpseclib-generated-key
Public-Lines: 2
AAAAB3NzaC1yc2EAAAADAQABAAAAQQCo9+BpMRYQ/dL3DS2CyJxRF+j6ctbT3/Qp
84+KeFhnii7NT7fELilKUSnxS30WAvQCCo2yU1orfgqr41mM70MB
Private-Lines: 4
AAAAQCCS4sQctqqRaEuA0pqBJqN6hstLes9PQCCbR/uTnkVdW3vjeHA2CSn3xsw2
vPL0BDWYkZtBkaumvhzxkDHdpE0AAAAhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAe
vXysE2RbFDYdAAAAIQEJQRpFCcydunv2bENcN/oBTRw39E8GNv2pIcNxZkcbNQAA
ACATrP+Toj4KE3Usu23BfSBqUhPGYBis4GEFWXjfe2BNNA==
Private-MAC: bc712a70870b4b8ddf120530f02b9068e782a21a

PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: phpseclib-generated-key
Public-Lines: 2
AAAAB3NzaC1yc2EAAAADAQABAAAAQQCo9+BpMRYQ/dL3DS2CyJxRF+j6ctbT3/Qp
84+KeFhnii7NT7fELilKUSnxS30WAvQCCo2yU1orfgqr41mM70MB
Private-Lines: 4
AAAAQCCS4sQctqqRaEuA0pqBJqN6hstLes9PQCCbR/uTnkVdW3vjeHA2CSn3xsw2
vPL0BDWYkZtBkaumvhzxkDHdpE0AAAAhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAe
vXysE2RbFDYdAAAAIQEJQRpFCcydunv2bENcN/oBTRw39E8GNv2pIcNxZkcbNQAA
ACATrP+Toj4KE3Usu23BfSBqUhPGYBis4GEFWXjfe2BNNA==
Private-MAC: 53ba974a4a5f8ac69eb526fd0556fe1a5ccf654216d261af04aca910967b2204

If you have a key that phpseclib can't read you'll need to share it with me so that I might reproduce the problem. If you don't want the world t see the key yo ucan email it to terrafrost@php.net.

I don't think a private key should ever be set to be read publicly, so I'm not sure what's going on. Is it the intention of phpseclib to only work with a publicly readable private key?

There's nothing phpseclib can do about this. If the user phpseclib is created as didn't create the key and you have it so that only the owner of the key can read it then there's not much phpseclib can do about that. And that's not a phpseclib thing - that's a Linux thing.

[gidzr]

Hey @terrafrost

Thanks for that detailed response. Greatly appreciated.

I wasn't sure about the users/groups because in all cases for testing and dev I create and run as root user. In prod this isn't a good approach, but obvious dev/testing with root means I can quarantine functionality issues from permission issues.

I'm also not entirely sure it was a user/group issues (even though permission settings makes this the obvious suspect) because in my limited understanding, a 440 should've worked instead of 444.

However, I will definitely go back and do some more testing with users/groups to see if I can resolve it this way.

It might be a few weeks before I can get test and get back to you.

Cheers