asn1: structure error: tags don't match

[lancechentw]

Below is what I got, I think it is different from #4

rtop: asn1: structure error: tags don't match (16 vs {class:0 tag:0 length:28 isCompound:false}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 set:false omitEmpty:false} pkcs1PrivateKey @2

Background info

Commit hash: ed16e84
uname: Linux foobar 4.0.1-1-ARCH #1 SMP PREEMPT Wed Apr 29 12:00:26 CEST 2015 x86_64 GNU/Linux
openssh: 6.8p1
openssl: 1.0.2a

[mdevan]

Same as #13. Repeating what I posted there, could you try this?

---

Hmm, maybe it is picking up the key file auth method first, before the ssh-agent method. Can you try an experiment please?

• comment out line 118 in sshhelper.go: auths = addPasswordAuth(auths)
• recompile (make)
• try again?

[peterbe]

I have the same error. I tried commenting out line 118 and recompiled and it didn't solve the problem.

I'm on OSX.

[peterbe]

By the way, I encountered that error with and without the -i flag.

[lancechentw]

Commenting out line 118 does not work for me, either running rtop without ssh-agent.

I think it fails at ans1.Unmarshal() in ParsePKCS1PrivateKey
https://golang.org/src/crypto/x509/pkcs1.go?h=ParsePKCS1PrivateKey#L41

[lancechentw]

I found that 512-bit RSA works, while 2048-bit RSA fails.

[lancechentw]

#11 (comment) is not correct. It is not 2048-bit RSA that fails, it is a key-pair with passphrase that fails.

[lancechentw]

Do DecryptPEMBlock() like this after pem.Decode()
https://golang.org/src/crypto/x509/pem_decrypt_test.go#L15

Also, use IsEncryptedPEMBlock() to determine if decryption is needed.

[mdevan]

Please check with commit f753d19. With this rtop will natively support encrypted private keys, and also support auth via ssh-agent correctly.

[peterbe]

Building this version, now I no longer get that same error @Lance0312 got. But instead I get a "Key passphrase:" prompt

:~/dev/GO/rtop (master=)$ ./rtop [email protected]
Key passphrase:
^C

This works though without prompting me for a passphrase:

:~/dev/GO/rtop (master=)$ ssh [email protected]

[mdevan]

@peterbe is your ~/.ssh/id_rsa encrypted?

[peterbe]

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,4AD650ED3EC480B5....

........

[peterbe]

so, plain text I guess

[lancechentw]

@mdevan, f753d19 works great. I was working on to build something like getpass(), didn't know passwordCallback() could simply do the job ;D

I think @peterbe uses ssh-agent, am I correct? The auth order changed in f753d19 breaks how it should work. If ssh-agent has credentials cached, it should be used for auth first. Then asks user for passphrase if there's no credential cached.

[mdevan]

@Lance0312 There is a catch in the auth order. The code in golang.org/x/crypto/ssh/client_auth.go#clientAuthenticate assumes that there is only one callback per auth type (e.g. "publickey"). So as it stands, either the agent or the key would work, but not both (as a superset). Will fix soon.

[lancechentw]

@mdevan, got it. I am closing this issue since we have encrypted key pair support now. @peterbe, would you please open another issue for your problem?

[mdevan]

Try with the latest commit ba5b35e. This improves the auth method handling.