Bug Or Feature? Ssh Connection Tab. Password Always Needed

[jexxer]

Hello.

I'm not sure if this is a bug or a feature, but it annoys me for quite some time now.

I'm heavily using the possibility to connect to external servers trough a SSH tunnel. For security reasons i store my certificates on a memory stick that i can plug off the workstation when i leave the office.

I do not want to store passwords in the connection manager and i do not want to input passwords every time i connect via SSH to a server.

AFAIK it should be possible to connect to a SSH server, authenticating by certificate, without the need to provide the account password.

My problem here is:

if i use a certificate (Public key method) that is not secured with a passphrase and leave the passphrase field empty, I get a error message telling me that i need to provide a password.

This is odd. Why am I forced to provide a passphrase when my certificate is not secured by a passphrase?

More odd is that i need to provide the SSH account password for certificates without passphrase. I'd bet that in this case authentication doesn't use the certificate at all but falls back to password authentication.

I'm using SQLyog Enterprise 6.07.

[peterlaursen]

It is by design! If you have a key with out passphrase, then the communication is not encrypted!

But it is corrrect that SSH allows for it. We thought nobody would use it like that. But you will?

“More odd is that i need to provide the SSH account password for certificates without passphrase. I'd bet that in this case authentication doesn't use the certificate at all but falls back to password authentication.” This we are researching into!

[jexxer]

peterlaursen wrote on Sep 20 2007, 10:06 AM:

If you have a key with out passphrase, then the communication is not encrypted!

Are you sure about that? AFAIK the passphrase is for encryption of the private key file to prevent misuse of the private key. I don't think it has any impact on the connection encryption.

[peterlaursen]

I think that I personally should 'back out' here.

I am calling in an expert (he is Sabya – and a nice guy who gets a haircut almost every 2 weeks!)

[Sabyasachi Ruj]

Hi jexxer,

You are correct in both of them.

1. Passphrase is used to encrypt the private key file.

2. SQLyog should not throw up the message:”Please provide your SSH server's Password”,

when using key based authentication and the 'Passphrase' field is empty.

Currently as a work around (If you want to use your private key file which is without passphrase):

You can just type something crap in the 'Passphrase' input box, and it will use your private key file only.

BTW: This will be fixed soon.

Thanks for reporting,

[jexxer]

Sabyasachi Ruj wrote on Sep 21 2007, 08:54 AM:

Currently as a work around (If you want to use your private key file which is without passphrase):

You can just type something crap in the 'Passphrase' input box, and it will use your private key file only.

Nope. this is not right.

If I put garbage into the passphrase field i get a SSH fatal error. Unable to authenticate.

I think what happens here is the following:

SQLyog takes the cert and the passphrase. (no passphrase currently is no option)

it tries the cert AND the passphrase.

SSH reports that the passphrase does not match the cert. (because it is not encrypted and no passphrase needed)

So SQLyog (or SSH internally) falls back to regular password based authentication.

But now the garbage is used as password and login fails.

So currently i can only use password based SSH login.

I'm happy to hear this will be fixed 🙂

Thank you.

[Sabyasachi Ruj]

Can you connect with plink and putty with the same key you are using with SQLyog?

You can download plink from:-

http://www.chiark.greenend.org.uk/~sgtatha…y/download.html

And then try the following command with parameters changed according to your configuration.

plink -ssh -l username -pw “some_crap_passphrase” -L 3310:localhost:3306 -P 22 192.168.1.3 -i “path_to_private_key.ppk”

Can plink connect to SSH server with anything you use as passphrase in the -pw option?

NOTE: -pw option is also used for specifying the password also, when using “password based” authentication.

[jexxer]

Hello Sabyasachi

First i need to tell you that your commandline has errors.

Option -P is for setting the remote port (defaults to 22)

The server i want to connect is missing.

I tried to use the plink.exe provided by SQLyog package but this one only gave me a error:

OpenEvent

2:The system can not find the file <- Translated from German, may differ on your system. I think this plink is not a original one. Do you compile your own for SQLyog? In this case my test with the original PLINK.EXE is pretty useless. I did it anyhow. I tested 2 server, one with encrypted cert (Server A) and one with unencrypted cert (Server 😎 . here are the connection logs. * Edit: Logs removed. So you are right. The original PLINK allows a wrong passphrase if the cert is not secured by a passphrase. I can't help here. You would need to execute plink with -v switch from within SQLyog and log the output to understand what is going on here. I can assure you that SQLyog does not accept garbage passphrase on unsecured cert.

[peterlaursen]

Yes – the PLINK shipped with SQLyog is a special build.

I do not understand either why “-P 22” is wrong when P defaults to 22?

[jexxer]

peterlaursen wrote on Sep 25 2007, 05:00 PM:

Yes – the PLINK shipped with SQLyog is a special build.

I do not understand either why “-P 22” is wrong when P defaults to 22?

My mistake. I missed the 22 and (miss-) interpreted this lokal IP of 192.168.1.3 was ment to bind SSH to a specific lokal IP. But now I see you are able to put the remote IP behind the -P option. Did not know that. I Thought only plink [options] remote_host will work.

[Sabyasachi Ruj]

Hi Jexxer,

Are you sure that you are using the “unencrypted” certificate with SQLyog and then trying with garbage passphrase?

Because, I can connect here with unencrypted certificate and a garbage passphrase in SQLyog Enterprise v6.07.

Can you provide us with the screen shots of your connection window(MySQL, SSH tabs), and the error you are getting?

You can create a ticket in our support system, if you want privacy.

The ticket can be created at:-

http://www.webyog.com/support/ttx.cgi

[jexxer]

[attachment=754:Zwischenablage01.jpg] Hi.

I made 3 screenshots. On the one with the error I used a garbage passphrase and on the other the password of the user account on the remote machine. The cert is not secured by a passphrase. The third one shows the mysql connection configuration tab.

The private key is a SSH-RSA 1024bit key.

What about my error with the plink.exe provided by SQLqog. is it normal that i can't use it on the commandline?

Ok. I put some extra effort in this and configered my sshd to log in DEBUG1 mode. The results below.

Now look. As i suggested, SQLyog nerver tries to auth by cert. Not on my environment. The original PLINK.EXE does ist ok.

One last thing. This behavior is not dependent on this server, I have it on all my servers.

The cert is only used when the passphrase belongs to the cert.

*Edit: Logs removed

[Sabyasachi Ruj]

Hi,

We will look into that again by tomorrow evening.

[Sabyasachi Ruj]

Hi,

May be your environment is not allowing what is working for us.

For faster resolving of this issue can you create one SSH user on your environment with VERY LIMITED PERMISSIONS?

We DO NOT need any other access to your environment than just being able to connect and adding public keys ONLY in that account.

If you agree, I insist you to use our ticket system for sharing the details.

It can be found here:-

http://www.webyog.com/support/ttx.cgi

If you do not agree to create any account for us. Please write us what is the OS of your environment, ssh server vendor, etc so that we can set up a similar environment.

The second method will take some more time to investigate the problem.

[jexxer]

I'm very embarrassed, I messed up with my certificates.

I found out while double checking my sqlyog.ini today.

I have to apologise for wasting your time.

Using the right certificates in SQLyog I can now input a garbage passphrase and connect with unencrypted certificates.

I removed my logfiles in the other posts to shorten this thread and remove private information. I hope this is ok.

[peterlaursen]

everything OK.

And it is still a bug that you will have to enter a 'garbage' passphrase when the private key is NOT protected!

This is fixed in development tree (from 6.1 beta1)

[Author]

Posts