|
 |
c260e0 |
From 95924615ab42529e4dc7b95da1115346bf607fc6 Mon Sep 17 00:00:00 2001
|
|
|
c260e0 |
From: Jeremy Lin <jjlin@cs.stanford.edu>
|
|
|
c260e0 |
Date: Mon, 15 Sep 2014 21:16:46 -0700
|
|
|
c260e0 |
Subject: [PATCH 1/2] ssh: improve key file search
|
|
|
c260e0 |
|
|
|
c260e0 |
For private keys, use the first match from: user-specified key file
|
|
|
c260e0 |
(if provided), ~/.ssh/id_rsa, ~/.ssh/id_dsa, ./id_rsa, ./id_dsa
|
|
|
c260e0 |
|
|
|
c260e0 |
Note that the previous code only looked for id_dsa files. id_rsa is
|
|
|
c260e0 |
now generally preferred, as it supports larger key sizes.
|
|
|
c260e0 |
|
|
|
c260e0 |
For public keys, use the user-specified key file, if provided.
|
|
|
c260e0 |
Otherwise, try to extract the public key from the private key file.
|
|
|
c260e0 |
This means that passing --pubkey is typically no longer required,
|
|
|
c260e0 |
and makes the key-handling behavior more like OpenSSH.
|
|
|
c260e0 |
|
|
|
c260e0 |
Upstream-commit: fa7d04fed4d4578fe29bdff0b5465f6e4a7da81a
|
|
|
c260e0 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
c260e0 |
---
|
|
|
c260e0 |
docs/MANUAL | 26 ++++++++++++++-------
|
|
|
c260e0 |
docs/curl.1 | 8 ++++++-
|
|
|
c260e0 |
lib/ssh.c | 75 +++++++++++++++++++++++++++++++++++++++----------------------
|
|
|
c260e0 |
3 files changed, 73 insertions(+), 36 deletions(-)
|
|
|
c260e0 |
|
|
|
c260e0 |
diff --git a/docs/MANUAL b/docs/MANUAL
|
|
|
c260e0 |
index 4ad2e13..3f8d9b8 100644
|
|
|
c260e0 |
--- a/docs/MANUAL
|
|
|
c260e0 |
+++ b/docs/MANUAL
|
|
|
c260e0 |
@@ -41,12 +41,19 @@ SIMPLE USAGE
|
|
|
c260e0 |
|
|
|
c260e0 |
Get a file from an SSH server using SFTP:
|
|
|
c260e0 |
|
|
|
c260e0 |
- curl -u username sftp://shell.example.com/etc/issue
|
|
|
c260e0 |
+ curl -u username sftp://example.com/etc/issue
|
|
|
c260e0 |
|
|
|
c260e0 |
- Get a file from an SSH server using SCP using a private key to authenticate:
|
|
|
c260e0 |
+ Get a file from an SSH server using SCP using a private key
|
|
|
c260e0 |
+ (not password-protected) to authenticate:
|
|
|
c260e0 |
|
|
|
c260e0 |
- curl -u username: --key ~/.ssh/id_dsa --pubkey ~/.ssh/id_dsa.pub \
|
|
|
c260e0 |
- scp://shell.example.com/~/personal.txt
|
|
|
c260e0 |
+ curl -u username: --key ~/.ssh/id_rsa \
|
|
|
c260e0 |
+ scp://example.com/~/file.txt
|
|
|
c260e0 |
+
|
|
|
c260e0 |
+ Get a file from an SSH server using SCP using a private key
|
|
|
c260e0 |
+ (password-protected) to authenticate:
|
|
|
c260e0 |
+
|
|
|
c260e0 |
+ curl -u username: --key ~/.ssh/id_rsa --pass private_key_password \
|
|
|
c260e0 |
+ scp://example.com/~/file.txt
|
|
|
c260e0 |
|
|
|
c260e0 |
Get the main page from an IPv6 web server:
|
|
|
c260e0 |
|
|
|
c260e0 |
@@ -91,10 +98,13 @@ USING PASSWORDS
|
|
|
c260e0 |
|
|
|
c260e0 |
SFTP / SCP
|
|
|
c260e0 |
|
|
|
c260e0 |
- This is similar to FTP, but you can specify a private key to use instead of
|
|
|
c260e0 |
- a password. Note that the private key may itself be protected by a password
|
|
|
c260e0 |
- that is unrelated to the login password of the remote system. If you
|
|
|
c260e0 |
- provide a private key file you must also provide a public key file.
|
|
|
c260e0 |
+ This is similar to FTP, but you can use the --key option to specify a
|
|
|
c260e0 |
+ private key to use instead of a password. Note that the private key may
|
|
|
c260e0 |
+ itself be protected by a password that is unrelated to the login password
|
|
|
c260e0 |
+ of the remote system; this password is specified using the --pass option.
|
|
|
c260e0 |
+ Typically, curl will automatically extract the public key from the private
|
|
|
c260e0 |
+ key file, but in cases where curl does not have the proper library support,
|
|
|
c260e0 |
+ a matching public key file must be specified using the --pubkey option.
|
|
|
c260e0 |
|
|
|
c260e0 |
HTTP
|
|
|
c260e0 |
|
|
|
c260e0 |
diff --git a/docs/curl.1 b/docs/curl.1
|
|
|
c260e0 |
index 38fa084..d1675a0 100644
|
|
|
c260e0 |
--- a/docs/curl.1
|
|
|
c260e0 |
+++ b/docs/curl.1
|
|
|
c260e0 |
@@ -724,7 +724,8 @@ If this option is used several times, the last one will be used. If
|
|
|
c260e0 |
unspecified, the option defaults to 60 seconds.
|
|
|
c260e0 |
.IP "--key <key>"
|
|
|
c260e0 |
(SSL/SSH) Private key file name. Allows you to provide your private key in this
|
|
|
c260e0 |
-separate file.
|
|
|
c260e0 |
+separate file. For SSH, if not specified, curl tries the following candidates
|
|
|
c260e0 |
+in order: '~/.ssh/id_rsa', '~/.ssh/id_dsa', './id_rsa', './id_dsa'.
|
|
|
c260e0 |
|
|
|
c260e0 |
If this option is used several times, the last one will be used.
|
|
|
c260e0 |
.IP "--key-type <type>"
|
|
|
c260e0 |
@@ -1124,6 +1125,11 @@ protocol instead of the default HTTP 1.1.
|
|
|
c260e0 |
separate file.
|
|
|
c260e0 |
|
|
|
c260e0 |
If this option is used several times, the last one will be used.
|
|
|
c260e0 |
+
|
|
|
c260e0 |
+(As of 7.39.0, curl attempts to automatically extract the public key from the
|
|
|
c260e0 |
+private key file, so passing this option is generally not required. Note that
|
|
|
c260e0 |
+this public key extraction requires libcurl to be linked against a copy of
|
|
|
c260e0 |
+libssh2 1.2.8 or higher that is itself linked against OpenSSL.)
|
|
|
c260e0 |
.IP "-q"
|
|
|
c260e0 |
If used as the first parameter on the command line, the \fIcurlrc\fP config
|
|
|
c260e0 |
file will not be read and used. See the \fI-K, --config\fP for details on the
|
|
|
c260e0 |
diff --git a/lib/ssh.c b/lib/ssh.c
|
|
|
c260e0 |
index 43e3342..4ea7d9b 100644
|
|
|
c260e0 |
--- a/lib/ssh.c
|
|
|
c260e0 |
+++ b/lib/ssh.c
|
|
|
c260e0 |
@@ -780,7 +780,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
|
|
|
c260e0 |
if((data->set.ssh_auth_types & CURLSSH_AUTH_PUBLICKEY) &&
|
|
|
c260e0 |
(strstr(sshc->authlist, "publickey") != NULL)) {
|
|
|
c260e0 |
char *home = NULL;
|
|
|
c260e0 |
- bool rsa_pub_empty_but_ok = FALSE;
|
|
|
c260e0 |
+ bool out_of_memory = FALSE;
|
|
|
c260e0 |
|
|
|
c260e0 |
sshc->rsa_pub = sshc->rsa = NULL;
|
|
|
c260e0 |
|
|
|
c260e0 |
@@ -788,34 +788,55 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
|
|
|
c260e0 |
HOME environment variable etc? */
|
|
|
c260e0 |
home = curl_getenv("HOME");
|
|
|
c260e0 |
|
|
|
c260e0 |
- if(data->set.str[STRING_SSH_PUBLIC_KEY] &&
|
|
|
c260e0 |
- !*data->set.str[STRING_SSH_PUBLIC_KEY])
|
|
|
c260e0 |
- rsa_pub_empty_but_ok = true;
|
|
|
c260e0 |
- else if(data->set.str[STRING_SSH_PUBLIC_KEY])
|
|
|
c260e0 |
- sshc->rsa_pub = aprintf("%s", data->set.str[STRING_SSH_PUBLIC_KEY]);
|
|
|
c260e0 |
- else if(home)
|
|
|
c260e0 |
- sshc->rsa_pub = aprintf("%s/.ssh/id_dsa.pub", home);
|
|
|
c260e0 |
- else
|
|
|
c260e0 |
- /* as a final resort, try current dir! */
|
|
|
c260e0 |
- sshc->rsa_pub = strdup("id_dsa.pub");
|
|
|
c260e0 |
-
|
|
|
c260e0 |
- if(!rsa_pub_empty_but_ok && (sshc->rsa_pub == NULL)) {
|
|
|
c260e0 |
- Curl_safefree(home);
|
|
|
c260e0 |
- state(conn, SSH_SESSION_FREE);
|
|
|
c260e0 |
- sshc->actualcode = CURLE_OUT_OF_MEMORY;
|
|
|
c260e0 |
- break;
|
|
|
c260e0 |
+ if(data->set.str[STRING_SSH_PRIVATE_KEY])
|
|
|
c260e0 |
+ sshc->rsa = strdup(data->set.str[STRING_SSH_PRIVATE_KEY]);
|
|
|
c260e0 |
+ else {
|
|
|
c260e0 |
+ /* If no private key file is specified, try some common paths. */
|
|
|
c260e0 |
+ if(home) {
|
|
|
c260e0 |
+ /* Try ~/.ssh first. */
|
|
|
c260e0 |
+ sshc->rsa = aprintf("%s/.ssh/id_rsa", home);
|
|
|
c260e0 |
+ if(!sshc->rsa)
|
|
|
c260e0 |
+ out_of_memory = TRUE;
|
|
|
c260e0 |
+ else if(access(sshc->rsa, R_OK) != 0) {
|
|
|
c260e0 |
+ Curl_safefree(sshc->rsa);
|
|
|
c260e0 |
+ sshc->rsa = aprintf("%s/.ssh/id_dsa", home);
|
|
|
c260e0 |
+ if(!sshc->rsa)
|
|
|
c260e0 |
+ out_of_memory = TRUE;
|
|
|
c260e0 |
+ else if(access(sshc->rsa, R_OK) != 0) {
|
|
|
c260e0 |
+ Curl_safefree(sshc->rsa);
|
|
|
c260e0 |
+ }
|
|
|
c260e0 |
+ }
|
|
|
c260e0 |
+ }
|
|
|
c260e0 |
+ if(!out_of_memory && !sshc->rsa) {
|
|
|
c260e0 |
+ /* Nothing found; try the current dir. */
|
|
|
c260e0 |
+ sshc->rsa = strdup("id_rsa");
|
|
|
c260e0 |
+ if(sshc->rsa && access(sshc->rsa, R_OK) != 0) {
|
|
|
c260e0 |
+ Curl_safefree(sshc->rsa);
|
|
|
c260e0 |
+ sshc->rsa = strdup("id_dsa");
|
|
|
c260e0 |
+ if(sshc->rsa && access(sshc->rsa, R_OK) != 0) {
|
|
|
c260e0 |
+ Curl_safefree(sshc->rsa);
|
|
|
c260e0 |
+ /* Out of guesses. Set to the empty string to avoid
|
|
|
c260e0 |
+ * surprising info messages. */
|
|
|
c260e0 |
+ sshc->rsa = strdup("");
|
|
|
c260e0 |
+ }
|
|
|
c260e0 |
+ }
|
|
|
c260e0 |
+ }
|
|
|
c260e0 |
}
|
|
|
c260e0 |
|
|
|
c260e0 |
- if(data->set.str[STRING_SSH_PRIVATE_KEY])
|
|
|
c260e0 |
- sshc->rsa = aprintf("%s", data->set.str[STRING_SSH_PRIVATE_KEY]);
|
|
|
c260e0 |
- else if(home)
|
|
|
c260e0 |
- sshc->rsa = aprintf("%s/.ssh/id_dsa", home);
|
|
|
c260e0 |
- else
|
|
|
c260e0 |
- /* as a final resort, try current dir! */
|
|
|
c260e0 |
- sshc->rsa = strdup("id_dsa");
|
|
|
c260e0 |
+ /*
|
|
|
c260e0 |
+ * Unless the user explicitly specifies a public key file, let
|
|
|
c260e0 |
+ * libssh2 extract the public key from the private key file.
|
|
|
c260e0 |
+ * This is done by simply passing sshc->rsa_pub = NULL.
|
|
|
c260e0 |
+ */
|
|
|
c260e0 |
+ if(data->set.str[STRING_SSH_PUBLIC_KEY]) {
|
|
|
c260e0 |
+ sshc->rsa_pub = strdup(data->set.str[STRING_SSH_PUBLIC_KEY]);
|
|
|
c260e0 |
+ if(!sshc->rsa_pub)
|
|
|
c260e0 |
+ out_of_memory = TRUE;
|
|
|
c260e0 |
+ }
|
|
|
c260e0 |
|
|
|
c260e0 |
- if(sshc->rsa == NULL) {
|
|
|
c260e0 |
+ if(out_of_memory || sshc->rsa == NULL) {
|
|
|
c260e0 |
Curl_safefree(home);
|
|
|
c260e0 |
+ Curl_safefree(sshc->rsa);
|
|
|
c260e0 |
Curl_safefree(sshc->rsa_pub);
|
|
|
c260e0 |
state(conn, SSH_SESSION_FREE);
|
|
|
c260e0 |
sshc->actualcode = CURLE_OUT_OF_MEMORY;
|
|
|
c260e0 |
@@ -828,8 +849,8 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
|
|
|
c260e0 |
|
|
|
c260e0 |
Curl_safefree(home);
|
|
|
c260e0 |
|
|
|
c260e0 |
- infof(data, "Using ssh public key file %s\n", sshc->rsa_pub);
|
|
|
c260e0 |
- infof(data, "Using ssh private key file %s\n", sshc->rsa);
|
|
|
c260e0 |
+ infof(data, "Using SSH public key file '%s'\n", sshc->rsa_pub);
|
|
|
c260e0 |
+ infof(data, "Using SSH private key file '%s'\n", sshc->rsa);
|
|
|
c260e0 |
|
|
|
c260e0 |
state(conn, SSH_AUTH_PKEY);
|
|
|
c260e0 |
}
|
|
|
c260e0 |
--
|
|
|
c260e0 |
2.5.2
|
|
|
c260e0 |
|
|
|
c260e0 |
|
|
|
c260e0 |
From 2e18c6a12fc5dbab278670f22e58fcce51d32cac Mon Sep 17 00:00:00 2001
|
|
|
c260e0 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
c260e0 |
Date: Fri, 15 Jan 2016 10:27:33 +0100
|
|
|
c260e0 |
Subject: [PATCH 2/2] ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL
|
|
|
c260e0 |
|
|
|
c260e0 |
The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle
|
|
|
c260e0 |
empty strings specially since curl-7_25_0-31-g05a443a but the behavior
|
|
|
c260e0 |
was unintentionally removed in curl-7_38_0-47-gfa7d04f.
|
|
|
c260e0 |
|
|
|
c260e0 |
This commit restores the original behavior and clarifies it in the
|
|
|
c260e0 |
documentation that NULL and "" have both the same meaning when passed
|
|
|
c260e0 |
to CURLOPT_SSH_PUBLIC_KEYFILE.
|
|
|
c260e0 |
|
|
|
c260e0 |
Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
|
|
|
c260e0 |
|
|
|
c260e0 |
Upstream-commit: be538e07667e1ba880b7201014be706851428d40
|
|
|
c260e0 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
c260e0 |
---
|
|
|
c260e0 |
docs/libcurl/curl_easy_setopt.3 | 6 +++---
|
|
|
c260e0 |
lib/ssh.c | 7 +++++--
|
|
|
c260e0 |
2 files changed, 8 insertions(+), 5 deletions(-)
|
|
|
c260e0 |
|
|
|
c260e0 |
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
|
|
|
c260e0 |
index ad739e1..0a9375e 100644
|
|
|
c260e0 |
--- a/docs/libcurl/curl_easy_setopt.3
|
|
|
c260e0 |
+++ b/docs/libcurl/curl_easy_setopt.3
|
|
|
c260e0 |
@@ -2446,9 +2446,9 @@ Pass a char * pointing to a file name for your public key. If not used,
|
|
|
c260e0 |
libcurl defaults to \fB$HOME/.ssh/id_dsa.pub\fP if the HOME environment
|
|
|
c260e0 |
variable is set, and just "id_dsa.pub" in the current directory if HOME is not
|
|
|
c260e0 |
set. (Added in 7.16.1)
|
|
|
c260e0 |
-If an empty string is passed, libcurl will pass no public key to libssh2
|
|
|
c260e0 |
-which then tries to compute it from the private key, this is known to work
|
|
|
c260e0 |
-when libssh2 1.4.0+ is linked against OpenSSL. (Added in 7.26.0)
|
|
|
c260e0 |
+If NULL (or an empty string) is passed, libcurl will pass no public key to
|
|
|
c260e0 |
+libssh2, which then tries to compute it from the private key. This is known
|
|
|
c260e0 |
+to work with libssh2 1.4.0+ linked against OpenSSL. (Added in 7.26.0)
|
|
|
c260e0 |
.IP CURLOPT_SSH_PRIVATE_KEYFILE
|
|
|
c260e0 |
Pass a char * pointing to a file name for your private key. If not used,
|
|
|
c260e0 |
libcurl defaults to \fB$HOME/.ssh/id_dsa\fP if the HOME environment variable
|
|
|
c260e0 |
diff --git a/lib/ssh.c b/lib/ssh.c
|
|
|
c260e0 |
index 4ea7d9b..589d4a3 100644
|
|
|
c260e0 |
--- a/lib/ssh.c
|
|
|
c260e0 |
+++ b/lib/ssh.c
|
|
|
c260e0 |
@@ -828,7 +828,9 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
|
|
|
c260e0 |
* libssh2 extract the public key from the private key file.
|
|
|
c260e0 |
* This is done by simply passing sshc->rsa_pub = NULL.
|
|
|
c260e0 |
*/
|
|
|
c260e0 |
- if(data->set.str[STRING_SSH_PUBLIC_KEY]) {
|
|
|
c260e0 |
+ if(data->set.str[STRING_SSH_PUBLIC_KEY]
|
|
|
c260e0 |
+ /* treat empty string the same way as NULL */
|
|
|
c260e0 |
+ && data->set.str[STRING_SSH_PUBLIC_KEY][0]) {
|
|
|
c260e0 |
sshc->rsa_pub = strdup(data->set.str[STRING_SSH_PUBLIC_KEY]);
|
|
|
c260e0 |
if(!sshc->rsa_pub)
|
|
|
c260e0 |
out_of_memory = TRUE;
|
|
|
c260e0 |
@@ -849,7 +851,8 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
|
|
|
c260e0 |
|
|
|
c260e0 |
Curl_safefree(home);
|
|
|
c260e0 |
|
|
|
c260e0 |
- infof(data, "Using SSH public key file '%s'\n", sshc->rsa_pub);
|
|
|
c260e0 |
+ if(sshc->rsa_pub)
|
|
|
c260e0 |
+ infof(data, "Using SSH public key file '%s'\n", sshc->rsa_pub);
|
|
|
c260e0 |
infof(data, "Using SSH private key file '%s'\n", sshc->rsa);
|
|
|
c260e0 |
|
|
|
c260e0 |
state(conn, SSH_AUTH_PKEY);
|
|
|
c260e0 |
--
|
|
|
c260e0 |
2.5.0
|
|
|
c260e0 |
|