Subject: Re: SSH & SFTP: Passphrase Problem + Libssh2 Correction

Re: SSH & SFTP: Passphrase Problem + Libssh2 Correction

From: Paul Romero <>
Date: Fri, 09 Jul 2010 13:23:45 -0700

Hi Simon:

I am glad you brought up this issue because I am NOT using OpenSSL.
Further, investigation is needed to determine if my environment can
support ssh-agent. However, the security issue you mentioned
is very valid and difficult. How do you recommend protecting private keys
in an automated environment ?

Best Regards,

Paul R.

Simon Josefsson wrote:

> Paul Romero <> writes:
> > Dear Group:
> >
> > I previously posted this problem to the libcurl group and after
> > considering it, think it might actually be a libssh2 problem.
> >
> > The general problem is that if my private key is encrypted--with
> > a passphrase, I can't complete authentication with the SSH
> > server using libssh.
> Are you using libgcrypt or OpenSSL as the backend? The libgcrypt
> backend can only read unencrypted private keys.
> Encrypted or not, having the private key in the same process as libssh2
> code is likely a bad idea for security -- so I suggest that you use the
> agent interface to move public/private key handling to a separate
> process. Then you can support any kind of private key (GnuTLS has code
> to decrypt encrypted private keys).
> /Simon
> _______________________________________________
> libssh2-devel

Paul Romero
RCOM Communications Software
Phone/Fax: (510)339-2628
Received on 2010-07-09