SSH.NET 是否只接受 OpenSSH 格式的私钥?如果没有,有什么限制?
Does SSH.NET accept only OpenSSH format of private key? If not, what are the restrictions?
手册中没有这样说明,但一些谷歌 returns 十年之交的页面(例如 this)表明这至少 使用过是这样的。我们有这样的代码:
var privateKeyAuthenticationMethod =
new PrivateKeyAuthenticationMethod(userName, new PrivateKeyFile(privateKeyLocation));
var connInfo =
new ConnectionInfo(
ftpSettings.HostAddress, ftpSettings.UserName, privateKeyAuthenticationMethod);
using (var client = new SftpClient(connInfo))
{
client.Connect();
client.UploadFile(memStreamData, destination);
}
这与我们通过 SCP2(详细的安全副本 2 here)成功使用的私钥挂钩 - 它是 2048 DSA,在 SSH.NET 文档中被列为有效。密钥使用 ssh.com 格式,例如:
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Subject: <FID name>
Comment: "2048-bit dsa, <FID name>@<Server name>, Mon Apr 24 201\
7 15:49:36 +0100"
<ENCRYPTED KEY>
---- END SSH2 ENCRYPTED PRIVATE KEY ----
然而,在 SSH.NET 的私钥处理部分中有一个 Regex 无法匹配我们的私钥,因此抛出异常:
ERROR 2017-05-10 15:31:43 UTC [T: 474] – Invalid private key file.
ERROR 2017-05-10 15:31:43 UTC [T: 474] – at Renci.SshNet.PrivateKeyFile.Open(Stream privateKey, String passPhrase)
然而,如果我们将密钥转换为 OpenSSH 格式,它确实匹配,但由于业务限制,这不一定是我们可以在生产中使用的东西。
有谁知道 SSH.NET 的私钥格式有什么限制吗?我们不确定这次是否需要放弃 SSH.NET 以使用其他一些 SFTP 包装器库,编写我们自己的,或者什么。
正如 in-code 文档中 PrivateKeyFile 类型所说:
Supports RSA and DSA private key in both OpenSSH and ssh.com format.
我已经生成了新的 ssh.com 私钥:
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: "dsa-key-20170511"
P2/56wAAA4IAAAAmZGwtbW9kcHtzaWdue2RzYS1uaXN0LXNoYTF9LGRoe3BsYWlufX0AAA
AEbm9uZQAAA0QAAANAAAAAAAAACACOT7SBNaNYmT13gDCCFyE/3yEs6oVbmmGVM6dIesTC
iwY26oHL2JKNLh2gHYfwa9iwDESAH6CIUR+Jf19KXLyNMLQgsoEhfZRS35mDC0pyoYgD77
N2VXt7hkEYFYuJK459HmmoJ2DABdZ9Anb6twDwfY7XhRdLz2H44OOifd1qKjYd/qzsm9MQ
4qUDHYsJpfCly2DFjcFy915fPW4IrTguCRRv545B949iZD/9VcysVe5Cs5DKe1zQybgs2L
qRgMXVS8eHIx4ASNRP6Z9gllkPK2CqWMeLL7P0oR6fNuC8T02xy0CTNh9s041mB7zN5Sfy
kuTzqh6Wkj3t9Z9Fv8YxAAAH/iadRhuaJzO7c9oA4+Z/aPwcTQZQiyeZ0jzTzKUZsyOUiV
PDGxsAuBAcMapskELDdWy0n0S0im4HyxouQrQxqIHBtzucuD4YznIdsCCjs8S0NiBLXEE1
DYyiIpnAgpoC1j6b00L3LosaI2szOAp2fGB2dtXizX6fIkUZssNZthEbpOKGvItor7JUv8
urcbl56S9B+mdyTm/a+zKP+Q5rC9mjd/N6X+9+pZxPoSfEzgclUOLxC+zJigpUEZ9UcqGR
eCT881CKmd0HRrVG3uzgVvsnnzX7wyTnOqg2CXuESB3NvvlzM2Vsa3UuBU1AjBj1++0h5Q
VJ83MZmlp2seG0m3MAAACg22bQYT6jD8GG9XaeoHXwnaPCB8kAAAgAh5QuiehV7IZN9G0R
V4t/sdnhA8M5X7YXw9iQUu08TYmPomZATI/7OlUYySPsjuf5IbRWSKXVP1x2Rku8gJQnAI
lbS6jhxHjx61fwD4jctaCZdI1MzXgW/PtIv3Sc6JyJdnD1dqKieUuRG6PhTFqoG3F1YHyy
VydaIhB1vKi90sTJ5AXXEZG81Q7yRBItJqr46XBz0W4CqQS6aguzzO9ZEdcadJGfDF6Bp8
Ymxzf58lYNrCJem4p7axM7P/9HaNW4xzRb5N0hyBYjFXAFa/mo2jARWHQTGeQy7KbdfUKE
vkxd96qK3InQHijWelnKAT5KgFaM9P1AEsgLnNRlQdn/fwAAAJ4qvy/nqPvqBwotQLLE0I
M9rbFIdA==
---- END SSH2 ENCRYPTED PRIVATE KEY ----
SSH.NET2016.0.0PrivateKeyFile可以正常加载
PrivateKeyFile 无法处理您的密钥的一件事是 Subject: header。删除它。
如果您需要完整的密钥文件,只需将其删除on-the-fly,同时阅读:
string key = File.ReadAllText(@"C:\path\key");
Regex removeSubjectRegex = new Regex("Subject:.*[\r\n]+", RegexOptions.IgnoreCase);
key = removeSubjectRegex.Replace(key, "");
MemoryStream buf = new MemoryStream(Encoding.UTF8.GetBytes(key));
PrivateKeyFile privateKeyFile = new PrivateKeyFile(buf);
手册中没有这样说明,但一些谷歌 returns 十年之交的页面(例如 this)表明这至少 使用过是这样的。我们有这样的代码:
var privateKeyAuthenticationMethod =
new PrivateKeyAuthenticationMethod(userName, new PrivateKeyFile(privateKeyLocation));
var connInfo =
new ConnectionInfo(
ftpSettings.HostAddress, ftpSettings.UserName, privateKeyAuthenticationMethod);
using (var client = new SftpClient(connInfo))
{
client.Connect();
client.UploadFile(memStreamData, destination);
}
这与我们通过 SCP2(详细的安全副本 2 here)成功使用的私钥挂钩 - 它是 2048 DSA,在 SSH.NET 文档中被列为有效。密钥使用 ssh.com 格式,例如:
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Subject: <FID name>
Comment: "2048-bit dsa, <FID name>@<Server name>, Mon Apr 24 201\
7 15:49:36 +0100"
<ENCRYPTED KEY>
---- END SSH2 ENCRYPTED PRIVATE KEY ----
然而,在 SSH.NET 的私钥处理部分中有一个 Regex 无法匹配我们的私钥,因此抛出异常:
ERROR 2017-05-10 15:31:43 UTC [T: 474] – Invalid private key file.
ERROR 2017-05-10 15:31:43 UTC [T: 474] – at Renci.SshNet.PrivateKeyFile.Open(Stream privateKey, String passPhrase)
然而,如果我们将密钥转换为 OpenSSH 格式,它确实匹配,但由于业务限制,这不一定是我们可以在生产中使用的东西。
有谁知道 SSH.NET 的私钥格式有什么限制吗?我们不确定这次是否需要放弃 SSH.NET 以使用其他一些 SFTP 包装器库,编写我们自己的,或者什么。
正如 in-code 文档中 PrivateKeyFile 类型所说:
Supports RSA and DSA private key in both OpenSSH and ssh.com format.
我已经生成了新的 ssh.com 私钥:
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: "dsa-key-20170511"
P2/56wAAA4IAAAAmZGwtbW9kcHtzaWdue2RzYS1uaXN0LXNoYTF9LGRoe3BsYWlufX0AAA
AEbm9uZQAAA0QAAANAAAAAAAAACACOT7SBNaNYmT13gDCCFyE/3yEs6oVbmmGVM6dIesTC
iwY26oHL2JKNLh2gHYfwa9iwDESAH6CIUR+Jf19KXLyNMLQgsoEhfZRS35mDC0pyoYgD77
N2VXt7hkEYFYuJK459HmmoJ2DABdZ9Anb6twDwfY7XhRdLz2H44OOifd1qKjYd/qzsm9MQ
4qUDHYsJpfCly2DFjcFy915fPW4IrTguCRRv545B949iZD/9VcysVe5Cs5DKe1zQybgs2L
qRgMXVS8eHIx4ASNRP6Z9gllkPK2CqWMeLL7P0oR6fNuC8T02xy0CTNh9s041mB7zN5Sfy
kuTzqh6Wkj3t9Z9Fv8YxAAAH/iadRhuaJzO7c9oA4+Z/aPwcTQZQiyeZ0jzTzKUZsyOUiV
PDGxsAuBAcMapskELDdWy0n0S0im4HyxouQrQxqIHBtzucuD4YznIdsCCjs8S0NiBLXEE1
DYyiIpnAgpoC1j6b00L3LosaI2szOAp2fGB2dtXizX6fIkUZssNZthEbpOKGvItor7JUv8
urcbl56S9B+mdyTm/a+zKP+Q5rC9mjd/N6X+9+pZxPoSfEzgclUOLxC+zJigpUEZ9UcqGR
eCT881CKmd0HRrVG3uzgVvsnnzX7wyTnOqg2CXuESB3NvvlzM2Vsa3UuBU1AjBj1++0h5Q
VJ83MZmlp2seG0m3MAAACg22bQYT6jD8GG9XaeoHXwnaPCB8kAAAgAh5QuiehV7IZN9G0R
V4t/sdnhA8M5X7YXw9iQUu08TYmPomZATI/7OlUYySPsjuf5IbRWSKXVP1x2Rku8gJQnAI
lbS6jhxHjx61fwD4jctaCZdI1MzXgW/PtIv3Sc6JyJdnD1dqKieUuRG6PhTFqoG3F1YHyy
VydaIhB1vKi90sTJ5AXXEZG81Q7yRBItJqr46XBz0W4CqQS6aguzzO9ZEdcadJGfDF6Bp8
Ymxzf58lYNrCJem4p7axM7P/9HaNW4xzRb5N0hyBYjFXAFa/mo2jARWHQTGeQy7KbdfUKE
vkxd96qK3InQHijWelnKAT5KgFaM9P1AEsgLnNRlQdn/fwAAAJ4qvy/nqPvqBwotQLLE0I
M9rbFIdA==
---- END SSH2 ENCRYPTED PRIVATE KEY ----
SSH.NET2016.0.0PrivateKeyFile可以正常加载
PrivateKeyFile 无法处理您的密钥的一件事是 Subject: header。删除它。
如果您需要完整的密钥文件,只需将其删除on-the-fly,同时阅读:
string key = File.ReadAllText(@"C:\path\key");
Regex removeSubjectRegex = new Regex("Subject:.*[\r\n]+", RegexOptions.IgnoreCase);
key = removeSubjectRegex.Replace(key, "");
MemoryStream buf = new MemoryStream(Encoding.UTF8.GetBytes(key));
PrivateKeyFile privateKeyFile = new PrivateKeyFile(buf);