Argo-cd: Argo CD doesn't support a private key with passphrase

Created on 9 Jul 2019  路  8Comments  路  Source: argoproj/argo-cd

Describe the bug

I tried to add my private git repository to Argo CD with SSH private key credential.

However, Argo CD CLI invoked some error like this.

$ argocd repo add [email protected]:<my private repository> --ssh-private-key-path ~/.ssh/id_rsa
FATA[0000] ssh: cannot decode encrypted private keys

It seems that this ssh: cannot decode encrypted private keys came from golang.org/x/crypto/ssh package.

golang/x/crypto/ssh package has a function for dealing with a private key with passphrase like this, but it seems that Argo CD codes don't use it.

To Reproduce

  1. Prepare for an SSH private key with a passphrase
  2. Try to add git repository with the private key like this.
argocd repo add [email protected]:<my private repository> --ssh-private-key-path <path/to/the private key>
  1. Then you will see some errors like this.
FATA[0000] ssh: cannot decode encrypted private keys

Expected behavior
Argo CD CLI add the git repository with no errors.

Version

argocd: v1.0.2+e0bd546.dirty
  BuildDate: 2019-06-14T17:15:36Z
  GitCommit: e0bd546a07818ec06a27c2b3033454e3eb1c4152
  GitTreeState: dirty
  GoVersion: go1.11.4
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v1.0.2+e0bd546.dirty
  BuildDate: 2019-06-14T17:15:03Z
  GitCommit: e0bd546a07818ec06a27c2b3033454e3eb1c4152
  GitTreeState: dirty
  GoVersion: go1.11.4
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: 0.13.1

Have you thought about contributing a fix yourself?

I tried to fix this issue, but code base of Argo CD is complicated for me.

bug git enhancement
Source
picture takuan-osho
👍3

Most helpful comment

I stumbled on that issue today. Any news on it?

picture FredM on 22 May 2020
👍3

All 8 comments

Working on it

alexmt picture alexmt on 9 Jul 2019
👍1

@alexmt FYI: According to https://github.com/golang/go/issues/18692, golang/x/crypto/ssh itself doesn't support encrypted private key with passphrase.

It seems difficult to fix this issue with only using golang/x/crypto/ssh package.

As a workaround, some person suggested a 3rd party package for supporting openssh-key-v1 format key.

takuan-osho picture takuan-osho on 12 Jul 2019

As far as I investigated, a SSH private key generated by newer OpenSSH without -m pem option has a newer format which is not supported by golang/x/crypto/ssh.

$ ssh -V
OpenSSH_7.9p1, LibreSSL 2.7.3

$ ssh-keygen -t rsa -b 4096 -C "[email protected]" -f keytest.pem -m pem
# This keytest.pem with passphrase can be parsed by ssh.ParsePrivateKeyWithPassphrase function

$ ssh-keygen -t rsa -b 4096 -C "[email protected]" -f keytest2.pem
# This keytest2.pem with passphrase cannot be parsed by ssh.ParsePrivateKeyWithPassphrase function
takuan-osho picture takuan-osho on 12 Jul 2019

Thank you for the information, @takuan-osho ! I was waiting fo PR1807 to get merged before start working on this ticket. Will try to use your advice tomorrow and will update ticket with my findings.

alexmt picture alexmt on 12 Jul 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 10 Sep 2019

I stumbled on that issue today. Any news on it?

FredM picture FredM on 22 May 2020
👍3

@FredM

This probrems depends on x/crypto/ssh package. latest x/crypto/ssh has already supported Private key with passphrase in OpenSSH format.

Master branch has already depended on corrected x/crypto/ssh version, so it should work correctly in master.

// go.mod in master branch

// ...
golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
// ...

But, latest version ArgoCD v1.6.1 does not follow fixed version.

// go.mod in release 1.6.1

// ...
golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586
// ...

Maybe it will work correctly in the next release.

po3rin picture po3rin on 31 Jul 2020
👍2

The argocd codebase still uses the ParsePrivateKey method (https://github.com/argoproj/argo-cd/blob/master/util/git/client.go#L193) so I believe this feature won't work yet. It needs to use the ParsePrivateKeyWithPassphrase method of the crypto library.

SayakMukhopadhyay picture SayakMukhopadhyay on 3 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

everesio picture everesio  路  3Comments
moensch picture moensch  路  3Comments
turbotankist picture turbotankist  路  3Comments
rosscdh picture rosscdh  路  3Comments
duboisf picture duboisf  路  3Comments