[ZBX-4850] SSH items *with* passphrase for private key do not work under Debian, Ubuntu Created: 2012 Apr 09  Updated: 2024 Apr 11  Resolved: 2012 Apr 10

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Documentation (D)
Affects Version/s: None
Fix Version/s: 2.0.0

Type: Incident report Priority: Minor
Reporter: Oleksii Zagorskyi Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: ssh
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Debian, libssh2 installed from packages.

Attachments: File ltrace_11717_ssh2-141ssl+passphrase.out     File ltrace_12105_ssh2-141gcrypt+passphrase.out    
Issue Links:
Duplicate

 Description   

This issue is an attempt to report an observed behavior of libssh2 under Debian.

The libssh2 can use two different crypto libraries to perform encryption/decryption: OpenSSL or Libgcrypt

Configure options for libssh2:

  --with-libgcrypt        Use Libgcrypt for crypto
  --with-openssl          Use OpenSSL for crypto

By default OpenSSL is udsed if --with-libgcrypt is not specified.

Debian's package is using Libgcrypt:
http://packages.debian.org/squeeze/libssh2-1

Why it happened?
Here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409362
And as result Debian's package is using Libgcrypt

In its package in a file "rules" a line exists:
CONFIGURE_EXTRA_FLAGS = --with-libgcrypt

The package's Changelog excerpt:

libssh2 (0.17-1) unstable; urgency=low
...
  * Build using libgcrypt, not OpenSSL (Closes: #409362).
 ...
 -- Mikhail Gusarov <[email protected]>  Wed, 04 Jul 2007 15:21:46  0700

The library libssh2 for several other checked distros (centos, gentoo) and freebsd is using default OpenSSL

In the same time openssh-client is using only OpenSSL:
http://packages.debian.org/squeeze/openssh-client
So, the problen is not visible when try to use an private key with passphrase from console (by openssh-client).

Quoting Simon:
"The Libgcrypt backend in libssh2 contains a hand written
slimmed down ASN.1 parser to read out the RSA key, but it does not
support any of the PKCS* encrypted forms of RSA keys. The OpenSSL
backend in libssh2 uses OpenSSL to read the keys, so it supports
whatever private key formats that OpenSSL supports."
and
"Are you using libgcrypt or OpenSSL as the backend? The libgcrypt
backend can only read unencrypted private keys."

Sources:
http://www.mail-archive.com/[email protected]/msg02226.html
http://www.mail-archive.com/[email protected]/msg02057.html

From a #libssh2 on a Freenode I learned that Simon is the author of the libgcrypt backend for libssh

How to distinguish easily:
Libgcrypt variant:

# ldd /usr/lib/libssh2.so
	linux-vdso.so.1 =>  (0x00007fff67dc3000)
	libgcrypt.so.11 => /usr/lib/libgcrypt.so.11 (0x00007f2e54679000)
	libz.so.1 => /usr/lib/libz.so.1 (0x00007f2e54462000)
	libc.so.6 => /lib/libc.so.6 (0x00007f2e540ff000)
	libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0x00007f2e53efc000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f2e54b37000)

OpenSSL variant:

# ldd /usr/lib/libssh2.so
	linux-vdso.so.1 =>  (0x00007fff49bff000)
	libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f42d9ff3000)
	libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007f42d9c52000)
	libz.so.1 => /usr/lib/libz.so.1 (0x00007f42d9a3a000)
	libc.so.6 => /lib/libc.so.6 (0x00007f42d96d8000)
	libdl.so.2 => /lib/libdl.so.2 (0x00007f42d94d4000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f42da48d000)

So, for now we have to add a note to documentation. Here: http://www.zabbix.com/documentation/2.0/manual/config/items/itemtypes/ssh_checks

 Comments   
Comment by Oleksii Zagorskyi [ 2012 Apr 10 ]

Attached (just because I have got them during debugging before) two files with difference of openssl and gcrypto usage where a private key encrypted with a passphrase.
The command was "ltrace -tt -n2 -s 80 -T -S -p <PID>"

libssh2 latest version 1.4.1 compiled from sources.

Comment by Oleksii Zagorskyi [ 2012 Apr 10 ]

As I see the same for Ubuntu:
depends: libgcrypt11 (>= 1.4.6)

http://packages.ubuntu.com/oneiric/libssh2-1

Comment by Oleksii Zagorskyi [ 2012 Apr 10 ]

This case reported in Debian bugs system: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271

Comment by Oleksii Zagorskyi [ 2012 Apr 10 ]

This special case has been documented here http://www.zabbix.com/documentation/2.0/manual/config/items/itemtypes/ssh_checks
If I'll receive any news from Debian bug system I'll update this issue.

Issue CLOSED for now.

Comment by Oleksii Zagorskyi [ 2012 Apr 10 ]

We have an answer in the http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271

Comment by Michael Spurlock [ 2019 Aug 19 ]

Would it be possible to compile Zabbix against libssh-4 instead of libssh2-1 in Ubuntu (and perhaps other Debian-based distros)?  The package libssh-4 is compiled against OpeenSSL and can coexist with the libssh2-1 package. 

Comment by Oleksii Zagorskyi [ 2020 Dec 15 ]

As I see "libssh-4" package on Ubuntu 20.04 it's another library - tiny C SSH library
Home page https://www.libssh.org/

So, it's not about packaging and/or compilation, but about using different library, which another, more complicated, story.

Comment by Oleksii Zagorskyi [ 2020 Dec 18 ]

It appeared that we now support libssh library (ZBXNEXT-5690) and even made change for packages - zabbix v5.2 on Ubuntu 18.04 and 20.04, for CentOS8 and possibly other.
So, maybe this limitation is not actual anymore.

Comment by Oleksii Zagorskyi [ 2020 Dec 24 ]

Last commend in ZBX-17417 mentions packages changes.

Generated at Thu Apr 25 19:22:20 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.