git2_credentials icon indicating copy to clipboard operation
git2_credentials copied to clipboard
verified publisher icon davidB

cred_from_ssh_config doesn't handle encrypted keys properly

Open dionb opened this issue 3 months ago • 2 comments

Hi, Thanks for the great library :)

I'm using a password protected ssh key, with no particular config around it, and I'm never getting prompted for my password. This appears to be because git2 does not try to decrypt the key when creating the Cred object, only when consuming it.

My current workaround is to remove the call to Cred::ssh_key on line 209. But of course this is not desireable for other users of my tool that don't have encrypted keys.

I would like to help implement a fix for this. The only approach I can think of would require remembering that the specific key had been tried before, and skipping the passwordless attempt the second time. Does that sound like a reasonable approach?

dionb avatar Oct 02 '25 15:10 dionb

If you talk about passphrase, it should be handled (or maybe I didn't see the issue due to ssh-agent). How do you create a "password protected ssh key"?

When you say "no particular config", you mean no way to detect the case via .ssh/config?

davidB avatar Oct 02 '25 18:10 davidB

It is getting handled in your code, but git2 is not emitting an error where your code expects one for detecting that the key is passphrase protected. Which means that it never prompts for the password. The error that is expected on line 208 of lib.rs is instead getting emitted by libgit2 when consuming the cred object to try to perform the push action.

To generate a password protected key, you can use:

openssl ecparam -name prime256v1 -genkey -noout -out private.ec.key

openssl pkcs8 -topk8 -in private.ec.key -out private.pem

I have no config files for my SSH client at all, and nothing specific to ssh in my git config. All I've done is generate a key pair, name them id_ecdsa and id_ecdsa.pub, then upload the public key to github.

On Thu, 2 Oct 2025 at 20:05, David Bernard @.***> wrote:

davidB left a comment (davidB/git2_credentials#55) https://github.com/davidB/git2_credentials/issues/55#issuecomment-3362393181

If you talk about passphrase, it should be handled (or maybe I didn't see the issue due to ssh-agent). How do you create a "password protected ssh key"?

When you say "no particular config", you mean no way to detect the case via .ssh/config?

— Reply to this email directly, view it on GitHub https://github.com/davidB/git2_credentials/issues/55#issuecomment-3362393181, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACPZNQSON2HFWGR5D6C3DR33VVSNFAVCNFSM6AAAAACID2EIW2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNRSGM4TGMJYGE . You are receiving this because you authored the thread.Message ID: @.***>

dionb avatar Oct 03 '25 07:10 dionb