recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Fix an issue where passphrase-protected private keys were stored without discarding passphrases

Summary:
Ref T13454. See <https://discourse.phabricator-community.org/t/newly-created-ssh-private-keys-with-passphrase-not-working-anymore/3883>.

After changes to distinguish between invalid and passphrase-protected keys, SSH private key management code incorrectly uses "-y ..." ("print public key") when it means "-p ..." ("modify input file, removing passphrase"). This results in the command having no effect, and Passphrase stores the raw input credential, not the stripped version.

We can't recover the keys because we don't store the passphrase, so no migration here is really possible. (We could add more code to detect this case, but it's presumably rare.)

Also, correct the behavior of the "Show Public Key" action: this is available for users who can see the credential and does not require edit permission.

Test Plan:
- Created a new credential with a passphrase, then showed the public key.

Maniphest Tasks: T13006, T13454

Differential Revision: https://secure.phabricator.com/D21245

epriestley 3dea9208 df139f04

+1 -2
+1 -1
src/applications/auth/sshkey/PhabricatorAuthSSHPrivateKey.php
··· 80 80 if (!$err) { 81 81 if ($passphrase) { 82 82 execx( 83 - 'ssh-keygen -y -P %P -N %s -f %R', 83 + 'ssh-keygen -p -P %P -N %s -f %R', 84 84 $passphrase, 85 85 '', 86 86 $tmp);
-1
src/applications/passphrase/controller/PassphraseCredentialViewController.php
··· 154 154 ->setName(pht('Show Public Key')) 155 155 ->setIcon('fa-download') 156 156 ->setHref($this->getApplicationURI("public/{$id}/")) 157 - ->setDisabled(!$can_edit) 158 157 ->setWorkflow(true)); 159 158 } 160 159