Reputation: 3288
Why does PHP's ssh2_auth_pubkey_file require a public key?
I can log into a server using only a private key via command line. Why does this PHP function require a public key also?
$connection = ssh2_connect($server_address, $port, array('hostkey'=>'ssh-rsa'));
if (!@ssh2_auth_pubkey_file($connection, $username, $public_key_path, $private_key_path, $password))
{
echo '<h3 class="error">Unable to authenticate. Check ssh key pair.</h3>';
break;
}
echo '<h3 class="success">Authenticated.</h3>';
I am working on a personal use test script to check firewall settings and access permissions as I adjust and deploy new servers. I'm mostly just curious as this seems to indicate I am missing some information about how ssh works. But I'm also annoyed that I have to give two paths when it seems I should only need one.
Upvotes: 2
Views: 2165
Answers (2)
Reputation: 202272
I do not have a direct experience with PHP SSH2 functions. But PHP ssh2_auth_pubkey_file internally calls libssh2_userauth_publickey_fromfile_ex from libssh2, whose documentation says about the publickey parameter:
Path name of the public key file. (e.g.
/etc/ssh/hostkey.pub). If libssh2 is built against OpenSSL, this option can be set to NULL.
So maybe you can pass If not, it's only a limitation of PHP SSH2 API. Not a something that comes intrinsically from SSH as such.null in PHP (as PHP builds against OpenSSL).
For the reason why SSH APIes usually allow specifying a separate public key file, when key-pair file (usually not-really-correctly called private key file) is enough, see my answer to:
Purpose of pubkey parameter of JSch.addIdentity
I believe that given the PHP SSH API, the argument is rather useless, as the API does not even allow you to have multiple keys loaded and you have to specify the passphrase upfront anyway.
Upvotes: 1
Reputation: 8945
When you "log on to a web site," you always present the public key.
The corresponding private key should be very-securely kept on the server so that it can use it to validate the public keys that are presented. Private keys should never be "out in the wild."
Alternatives exist – often, the server only contains a "signing key" (for self-issued certificates), or it simply relies on the fact that the presented key has been signed by a recognized authority.
Upvotes: -1
Related Questions
- ssh2_auth_pubkey_file authentication always fails
- ssh2_auth_pubkey_file getting error Callback returned error (PHP 7.4, Ubuntu 20)
- Is there a way to validate SSH public key in PHP?
- Why Is There openssl_public_decrypt in PHP? Isn't the Public Key Supposed to Be For Encryption Only?
- Trying to connect using ssh2_auth_pubkey_file()
- Supply PHP function ssh2_auth_pubkey_file with private key as string, not a file
- PHP ssh2_auth_pubkey_file(): Authentication failed using public key: Invalid key data, not base64 encoded
- Can't connect to EC2 in php with ssh2_auth_pubkey_file
- PHP ssh2_auth_pubkey_file not working with encrypted private key
- PHP SSH2 Authenticiation With Public Keys