Better error when using an encrypted SSH key

Question

Better error when using an encrypted SSH key

andreasknoepfle opened this issue 6 years ago · 1 comments

Hello labzero 👋
first of all thank you very much for coming up with bootleg 👍. Makes deployment with elixir definitely more awesome.

I'm just writing in order to suggest a small enhancement:
When trying to deploy to staging with bootleg I tried to (mistakenly) use an encrypted SSH key to for deploying. This gave me a very strange error message and I would not know what was going on, or why it would fail:

** (SSHError) SSHKit returned an internal error on some.server.example.com: {:function_clause, [{:public_key, :pem_entry_decode, [{:RSAPrivateKey, <<123, 456, 789...>>, {'AES-128-CBC', <<123, 456, 789>>}}], [file: 'public_key.erl', line: 141]}, {SSHClientKeyAPI, :user_key, 2, [file: 'lib/ssh_client_key_api.ex', line: 102]}, {:ssh_auth, :get_public_key, 2, [file: 'ssh_auth.erl', line: 145]}, {:ssh_connection_handler, :is_usable_user_pubkey, 2, [file: 'ssh_connection_handler.erl', line: 1789]}, {:ssh_connection_handler, :"-init_ssh_record/4-lc$^0/1-0-", 2, [file: 'ssh_connection_handler.erl', line: 477]}, {:ssh_connection_handler, :init_ssh_record, 4, [file: 'ssh_connection_handler.erl', line: 476]}, {:ssh_connection_handler, :init, 1, [file: 'ssh_connection_handler.erl', line: 412]}, {:ssh_connection_handler, :init_connection_handler, 3, [file: 'ssh_connection_handler.erl', line: 374]}]}
    lib/bootleg/ssh.ex:74: anonymous fn/2 in Bootleg.SSH.run/2
    (elixir) lib/enum.ex:1294: Enum."-map/2-lists^map/1-0-"/2
    lib/bootleg/ssh.ex:184: Bootleg.SSH.run!/2
    lib/bootleg/ssh.ex:93: Bootleg.SSH.validate_workspace/3
    lib/bootleg/ssh.ex:54: Bootleg.SSH.init/2
    deps/bootleg/lib/bootleg/tasks/ping.exs:5: anonymous fn/3 in Bootleg.DynamicTasks.Ping.execute/0
    (elixir) lib/enum.ex:1899: Enum."-reduce/3-lists^foldl/2-0-"/3
    deps/bootleg/lib/bootleg/tasks/ping.exs:5: Bootleg.DynamicTasks.Ping.execute/0

Lateron I found out, that it was to the lacking support of encrypted SSH keys.
I think it would have been very helpful in this case, as long as you do not support encrypted keys, to have some better error, stating that encrypted keys are not supported. Usually encrypted keys start with something like:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC, ...

So a suggestion would be, when such an internal error occurs, bootleg could check the key and see if it contains ENCRYPTED and if so, print an error that encrypted keys are not supported.
Or maybe even simpler, just print an additional message on all SSHKit internal errors, that it could be due to an encrypted key :).

Answer 1 · 2018-09-18T21:53:48.000Z

Thanks for the comment and idea, @andreasknoepfle, i've moved this over to the ssh_client_key_api repo: /labzero/ssh_client_key_api/issues/3

I believe OTP 20 included some major work on the old :ssh library so there may be additional support for either support or detection of this case