alexvanin/rclone
1
0
Fork 0
forked from TrueCloudLab/rclone
Code Pull requests Activity

sftp: add support for PEM encrypted private keys

Browse source
This commit is contained in:
Fabian Möller 2019-01-03 12:24:31 +01:00
parent 49da220b65
commit c1998c4efe
2 changed files with 30 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
backend/sftp/sftp.go
View file

@ -66,7 +66,14 @@ func init() {
IsPassword: true, IsPassword: true,
}, { }, {
Name: "key_file", Name: "key_file",
Help: "Path to unencrypted PEM-encoded private key file, leave blank to use ssh-agent.", Help: "Path to PEM-encoded private key file, leave blank to use ssh-agent.",
}, {
Name: "key_file_pass",
Help: `The passphrase to decrypt the PEM-encoded private key file.
Only PEM encrypted key files (old OpenSSH format) are supported. Encrypted keys
in the new OpenSSH format can't be used.`,
IsPassword: true,
}, { }, {
Name: "use_insecure_cipher", Name: "use_insecure_cipher",
Help: "Enable the use of the aes128-cbc cipher. This cipher is insecure and may allow plaintext data to be recovered by an attacker.", Help: "Enable the use of the aes128-cbc cipher. This cipher is insecure and may allow plaintext data to be recovered by an attacker.",
@ -122,6 +129,7 @@ type Options struct {
Port string `config:"port"` Port string `config:"port"`
Pass string `config:"pass"` Pass string `config:"pass"`
KeyFile string `config:"key_file"` KeyFile string `config:"key_file"`
KeyFilePass string `config:"key_file_pass"`
UseInsecureCipher bool `config:"use_insecure_cipher"` UseInsecureCipher bool `config:"use_insecure_cipher"`
DisableHashCheck bool `config:"disable_hashcheck"` DisableHashCheck bool `config:"disable_hashcheck"`
AskPassword bool `config:"ask_password"` AskPassword bool `config:"ask_password"`
@ -344,7 +352,14 @@ func NewFs(name, root string, m configmap.Mapper) (fs.Fs, error) {
if err != nil { if err != nil {
return nil, errors.Wrap(err, "failed to read private key file") return nil, errors.Wrap(err, "failed to read private key file")
} }
signer, err := ssh.ParsePrivateKey(key) clearpass := ""
if opt.KeyFilePass != "" {
clearpass, err = obscure.Reveal(opt.KeyFilePass)
if err != nil {
return nil, err
}
}
signer, err := ssh.ParsePrivateKeyWithPassphrase(key, []byte(clearpass))
if err != nil { if err != nil {
return nil, errors.Wrap(err, "failed to parse private key file") return nil, errors.Wrap(err, "failed to parse private key file")
} }

14
docs/content/sftp.md
View file

@ -204,13 +204,25 @@ SSH password, leave blank to use ssh-agent.
#### --sftp-key-file #### --sftp-key-file
Path to unencrypted PEM-encoded private key file, leave blank to use ssh-agent. Path to PEM-encoded private key file, leave blank to use ssh-agent.
- Config: key_file - Config: key_file
- Env Var: RCLONE_SFTP_KEY_FILE - Env Var: RCLONE_SFTP_KEY_FILE
- Type: string - Type: string
- Default: "" - Default: ""
#### --sftp-key-file-pass
The passphrase to decrypt the PEM-encoded private key file.
Only PEM encrypted key files (old OpenSSH format) are supported. Encrypted keys
in the new OpenSSH format can't be used.
- Config: key_file_pass
- Env Var: RCLONE_SFTP_KEY_FILE_PASS
- Type: string
- Default: ""
#### --sftp-use-insecure-cipher #### --sftp-use-insecure-cipher
Enable the use of the aes128-cbc cipher. This cipher is insecure and may allow plaintext data to be recovered by an attacker. Enable the use of the aes128-cbc cipher. This cipher is insecure and may allow plaintext data to be recovered by an attacker.