remove ssh private key contents from errors

A misformatted private key may fail to parse correctly, but might still
contain sensitive data. Don't display the private key in any error
messages.
This commit is contained in:
James Bardin 2019-02-20 15:05:19 -05:00
parent 3db95d510a
commit f68a1a9c76
1 changed files with 6 additions and 5 deletions

View File

@ -3,6 +3,7 @@ package ssh
import ( import (
"bytes" "bytes"
"encoding/pem" "encoding/pem"
"errors"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"log" "log"
@ -259,17 +260,17 @@ func readPrivateKey(pk string) (ssh.AuthMethod, error) {
// show a nicer error if the private key has a password. // show a nicer error if the private key has a password.
block, _ := pem.Decode([]byte(pk)) block, _ := pem.Decode([]byte(pk))
if block == nil { if block == nil {
return nil, fmt.Errorf("Failed to read key %q: no key found", pk) return nil, errors.New("Failed to read ssh private key: no key found")
} }
if block.Headers["Proc-Type"] == "4,ENCRYPTED" { if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
return nil, fmt.Errorf( return nil, errors.New(
"Failed to read key %q: password protected keys are\n"+ "Failed to read ssh private key: password protected keys are\n" +
"not supported. Please decrypt the key prior to use.", pk) "not supported. Please decrypt the key prior to use.")
} }
signer, err := ssh.ParsePrivateKey([]byte(pk)) signer, err := ssh.ParsePrivateKey([]byte(pk))
if err != nil { if err != nil {
return nil, fmt.Errorf("Failed to parse key file %q: %s", pk, err) return nil, fmt.Errorf("Failed to parse ssh private key: %s", err)
} }
return ssh.PublicKeys(signer), nil return ssh.PublicKeys(signer), nil