Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot clone repository with SSH private key #218

Open
genigenigeni opened this issue Sep 18, 2018 · 29 comments
Open

Cannot clone repository with SSH private key #218

genigenigeni opened this issue Sep 18, 2018 · 29 comments
Labels
git

Comments

@genigenigeni
Copy link

@genigenigeni genigenigeni commented Sep 18, 2018

When trying to clone a git repository for the first time using SSH and authentifying with an SSH key, I get the error "Unable to extract public key from private key file: Wrong passphrase or invalid/unrecognized private key file format".

I have tried transferring the passphrase using a web server, ASCII Armored QR, and iTunes file sharing. I made sure the passphrase is correct, but it does not work at all.

This happenened after I reset the app in order to clone a new password store. For almost a year, the app worked as intended. An uninstall/reinstall did not fix the problem. The key itself is good too, as I can use it on my PC.

I got this error on both an iPhone and an iPad on iOS 12.0.0.

@yishilin14

This comment has been minimized.

Copy link
Collaborator

@yishilin14 yishilin14 commented Sep 20, 2018

How you import the key doesn't matter. We keep the ASCII armored key. It is possible that the key format is not supported by the upstream library that we have been using. May I ask what is your key type? I think one possible workaround is that you generate another pair of keys.

We are trying to maintain a list of supported/unsupported keys. You may check https://github.com/mssun/passforios/wiki/Supported-Unsupported-Key-Algorithms to see some keys that are definitely supported.

EDIT: It seems like you were able to clone some of you other repositories. Are you using a new ssh key now?

@fortytw2

This comment has been minimized.

Copy link

@fortytw2 fortytw2 commented Sep 21, 2018

I'm having this exact same issue with a freshly generated ssh key from ssh-keygen -t rsa -b 2048 and an empty password. Let me know if there's anything I can do to provide more info

iOS 12.0.0 on an iPhone 6S+ here.

@nylocx

This comment has been minimized.

Copy link

@nylocx nylocx commented Sep 22, 2018

I have the same issue with a new iPhone (IOS 12) #202 prevents me from using https with my gogs git server and now this even prevents me from using ssh. My old iPhone also running IOS 12 works fine, but I cloned with an older version of pass for ios and gogs almost a year ago over https.
I used an rsa2048 key with and without a passphrase without success.

@maximbaz

This comment has been minimized.

Copy link

@maximbaz maximbaz commented Sep 28, 2018

This is because newly generated keys with ssh-keygen -t rsa -b 2048 start with this string:

-----BEGIN OPENSSH PRIVATE KEY-----

While previously the same command generated a file that started with this string:

-----BEGIN RSA PRIVATE KEY-----

So, the new format is not supported.

@yishilin14

This comment has been minimized.

Copy link
Collaborator

@yishilin14 yishilin14 commented Sep 30, 2018

@maximbaz Thank you.

I will put this in Supported Unsupported Key Algorithms.
And I will add a link to this document in the key setup page.

@yishilin14

This comment has been minimized.

Copy link
Collaborator

@yishilin14 yishilin14 commented Sep 30, 2018

@genigenigeni Would you please check whether using more compatible PEM format, not the newer OpenSSH format solves your problem?

@tao-oat

This comment has been minimized.

Copy link

@tao-oat tao-oat commented Oct 8, 2018

@yishilin14 I just tried generating a key in the old format using ssh-keygen -t rsa -b 2048 -m PEM, but it won't accept the passphrase I provide it in Pass.

@hreese

This comment has been minimized.

Copy link

@hreese hreese commented Oct 12, 2018

I wasn't able to convert an existing private key, but here is a way of generating a compliant key pair

  1. Get puttygen; I used the version supplied by my Linux distribution.
  2. Generate a new private key: puttygen -t rsa -b 2048 -O private-openssh -o pass_for_ios.key
  3. Generate a matching public key: puttygen pass_for_ios.key -C "Pass for iOS" -O public-openssh -o pass_for_ios.pub
@nunbit

This comment has been minimized.

Copy link

@nunbit nunbit commented Oct 23, 2018

Resolved. Thank you @hreese I followed your steps exactly and it is working now-successfully cloned into my iphone. Easy peasy lemon squeezy.

@nunbit nunbit mentioned this issue Oct 23, 2018
@loizoskounios

This comment has been minimized.

Copy link

@loizoskounios loizoskounios commented Nov 3, 2018

I ran into the same issue and was able resolve it by asking ssh-keygen to generate a new pair of keys in the OpenSSL PEM format.

ssh-keygen -t rsa -b 4096 -m PEM -f ~/id_rsa

From OpenSSH v7.8 onwards, ssh-keygen will write private keys in the OpenSSH format by default. By using -m PEM we ensure that the key pair is in the OpenSSL PEM format, regardless of the OpenSSH version. -m PEM can be omitted as long as the -o flag is also omitted if OpenSSH is older than v7.8.

@wpcarro

This comment has been minimized.

Copy link

@wpcarro wpcarro commented Mar 25, 2019

@brortao - I also couldn't get ssh-keygen -t rsa -b 2048 -m PEM to work. Strange since it output the "supported" headers:

-----BEGIN RSA PRIVATE KEY-----

@loizoskounios I tried your incantation as well, which judging from a glance is the same as @brortao's recommendation except with a larger -b size. I couldn't get this to work either.

I also tried using @hreese's puttygen suggestion and was unsuccessful.

In all of these attempts, passforios continually prompts for the password for my SSH key. The UI does not provide feedback about whether the password is correct or incorrect.

I've tried creating SSH keys without passwords. In these cases, passforios still prompts for a password; I just submit an empty password -- assuming this is the recommendation.

Does anyone have any more insight into the underlying issue? Should we use 2048 or 4096? How can we check the OpenSSH version our ssh-keygen or puttygen is using?

For puttygen, I'm using:

puttygen: Release 0.71
Build platform: 64-bit Unix
Compiler: gcc 7.4.0
Source commit: abfc751c3ee7d57bf3f127a458c40bb4ca2b6996
@kraem

This comment has been minimized.

Copy link

@kraem kraem commented Mar 29, 2019

I've also tried both @hreese (with & without passphrase) and @loizoskounios solutions but no luck.
I'm getting the "Unable to extract public key from private key file: Wrong passphrase or invalid/unrecognized private key file format".

GIT REPOSITORY URL: ssh://git@IP/home/git/.password-store.git
USERNAME: git

SOLVED
Apparently the ”.git” in the GIT REPOSITORY URL should be omitted:
GIT REPOSITORY URL: ssh://git@IP/home/git/.password-store

That, in combination with @hreese puttygen solution worked for me.

@wpcarro does your GIT REPOSITORY URL include the .git ending? Make sure it does not. Worked for me when omitting it.

I'd happily update the wiki if I had permission to do so :)

@wpcarro

This comment has been minimized.

Copy link

@wpcarro wpcarro commented Apr 1, 2019

@kraem what are you using for your SSH keys if you aren't using puttygen? I'm assuming you're using:

ssh-keygen -t rsa -b 2046 -m PEM

Also, are you using a passphrase for the key?

I tried omitting .git in the URL and using both puttygen and ssh-keygen commands - both without a password. passforios continuously prompts me for a password. If I finally hit cancel, I get the following error:

Failed to clone repository from <url> to <path>
Underlying error: GTCredentialProvider failed to provide credentials.
@wpcarro

This comment has been minimized.

Copy link

@wpcarro wpcarro commented Apr 1, 2019

Just to cover more variables, I created a key with ssh-keygen - this time with a password. Same exact error: endless loop; cancel; GTCredentialProvider failed to provide credentials

@kraem

This comment has been minimized.

Copy link

@kraem kraem commented Apr 1, 2019

@wpcarro I got it to work using RSA 2048 key with passphrase created with puttygen

@wpcarro

This comment has been minimized.

Copy link

@wpcarro wpcarro commented Apr 1, 2019

@kraem thanks. Just tested now with a password, and it's still now working.

puttygen -t rsa -b 2048 -O private-openssh -o pass_for_ios.key
puttygen pass_for_ios.key -C "Pass for iOS" -O public-openssh -o pass_for_ios.pub

...and I'm getting the same error. I'm using a private repository on GitHub, and I'm transferring the private, public keys with the following:

xclip -selection clipboard -i <pass_for_ios.pub # uploaded to GitHub
xclip -selection clipboard -i <pass_for_ios.key # emailed to iPhone

Any idea what might be going wrong?

@kraem

This comment has been minimized.

Copy link

@kraem kraem commented Apr 1, 2019

@wpcarro Only difference I can see is that I used https://github.com/yishilin14/asc-key-to-qr-code-gif/ instead of copy-pasting with xclip. I’ll look closer when not afk :)

@wpcarro

This comment has been minimized.

Copy link

@wpcarro wpcarro commented Apr 2, 2019

@kraem thanks for sharing. No luck this way either as I expected. What's interesting, however, is that I can't clone the repository locally either, which is validating.

Update

After running some local tests to reproduce the issue, I finally got this working.

For me, I needed to test the following variables:

Variables

  • .git extension: shouldn't matter
  • SSH key password: shouldn't matter
  • puttygen or ssh-keygen: shouldn't matter
  • Git repository URL: problematic
  • Username: problematic
  • SSH key size: problematic (as discussed above)

Take-aways

The URL and the Username I entered into passforios were both problematic.

Git repository URL and Username

Bad

Git repository URL: ssh://wpcarro@github.com/wpcarro/.password-store
Username: wpcarro

Good

Git repository URL: ssh://git@github.com/wpcarro/.password-store
Username: git

In retrospective, it seems as if I should have caught this earlier on in the process. Bear in mind, however, that trying to troubleshoot six variables (listed above) made the troubleshooting quite time-consuming. I also allocated most of my time troubleshooting the puttygen vs. ssh-keygen, SSH password, and .git extension variables. It wasn't until I tried to locally clone the repository that I corrected my errors.

SSH key generation

Both of these should work:

ssh-keygen -t rsa -b 2046 -m PEM -f ./secret.key
puttygen -t rsa -b 2048 -O private-openssh -o pass_for_ios.key && \
puttygen pass_for_ios.key -C "Pass for iOS" -O public-openssh -o pass_for_ios.pub

Recommendations

Thanks again for making this app. I'm quite happy to finally have it up-and-running. I intend on contributing one of these days. I'm in the middle of a trans-Atlantic relocation. Once that settles, I should have some time to contribute! With that out of the way, here are some humble recommendations.

  • Better error messages? It's confusing if passforios continually prompts for the SSH key password. Furthermore, when you finally click Cancel, the error message mentions GTCredential. Perhaps we can catch these errors and suggest a few troubleshooting tips?
  • Support newer SSH keys or have better error messages about our lack of support for these type of keys.
  • Support an alternative repository syntax? git clone git@github.com:username/repository
@yishilin14

This comment has been minimized.

Copy link
Collaborator

@yishilin14 yishilin14 commented Apr 2, 2019

@wpcarro Just added your suggestions to https://github.com/mssun/passforios/wiki/Supported-or-Unsupported-Keys . PRs are always welcomed!

The current error messages are far from enough. And after reading all issues, now I feel that they are even a bit "misleading"...

@kraem

This comment has been minimized.

Copy link

@kraem kraem commented Apr 3, 2019

@wpcarro Interesting.

The only variable I'm changing is .git extension in the git repository url.
When having the extension I enter my ssh key passphrase and I get an error: "Underlying error: fatal: '/home/git/.password-store.git' does not appear to be a git repository".
When I'm not having the extension I enter my ssh key passphrase and it successfully clones the repo.

@wpcarro

This comment has been minimized.

Copy link

@wpcarro wpcarro commented Apr 3, 2019

@kraem strange... I cannot speak to non-GitHub domains. It may be possible that GitHub resolves .git and non-.git URLs similarly.

@mbcrump

This comment has been minimized.

Copy link

@mbcrump mbcrump commented May 3, 2019

Hey folks, I've spent countless hours trying to solve this. This image below is how the repo url should look.

image

@infinitylx

This comment has been minimized.

Copy link

@infinitylx infinitylx commented May 4, 2019

Got the same issue.

Can't clone ssh://username@customdomain.org:/home/username/pass-store using ssh-key based auth.

Ssh key is openssh rsa -b 4096.

@SimplyDanny

This comment has been minimized.

Copy link
Contributor

@SimplyDanny SimplyDanny commented May 4, 2019

@infinitylx in your case the colon behind the domain might be the culprit. The Wiki points out that only a slash follows the domain.

@infinitylx

This comment has been minimized.

Copy link

@infinitylx infinitylx commented May 5, 2019

@SimplyDanny Thanks that helped. Now I have some issues with key type... But I think someone talk about it somewhere above... So thx for answer.

@manniche

This comment has been minimized.

Copy link

@manniche manniche commented Sep 26, 2019

@infinitylx I battled some time with this issue. The normal way I would clone my password-store repository on laptops using a git client would be something along the lines of

git clone git@myserver:relative/path/to/password-store.git

which I in passforios would translate to the clone url

ssh://git@myserver/relative/path/to/password-store.git

But after much trial and error (and unfortunately some less than helpful error messages), I found out that the url needs to be the complete, absolute path to the repository on the target server, such that if the repository is hosted in /home/git/relative/path/to/password-store.git, the clone url in passforios needs to be:

ssh://git@myserver/home/git/relative/path/to/password-store.git

All other git clients I have worked with would infer the base path from the login shells notion of $HOME but this is not the case here.

I think then that your url @infinitylx should be

ssh://username@customdomain.org/home/username/pass-store
@johnmee

This comment has been minimized.

Copy link

@johnmee johnmee commented Oct 6, 2019

Confirming once again for all that the problem is the format of the key. The legacy pem public key format works whereas the default format of RFC4716 does not. Use the -m option...

ssh-keygen -m PEM

@Infinisil

This comment has been minimized.

Copy link

@Infinisil Infinisil commented Oct 22, 2019

@wpcarro Regarding the GTCredentialProvider failed to provide credentials error, I got it because the server didn't have the phone's key in its authorized keys.

@mssun mssun added the git label Nov 20, 2019
@mssun

This comment has been minimized.

Copy link
Owner

@mssun mssun commented Nov 21, 2019

We have updated libgit2/libssh2/openssl and shipped a TestFlight 0.8.0 (41) with this update. This update will support ECDSA, ED25519 and more algorithms. Please help me to confirm this problem is fixed. Refer: #305 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.