Bug #97838 passphrase-encrypted private key fails to authenticate over SSH
Submitted: 2 Dec 2019 1:55 Modified: 1 May 2020 12:11
Reporter: Bill Newcomb Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Workbench Severity:S2 (Serious)
Version:8.0.18 OS:Ubuntu (18.04 LTS)
Assigned to: MySQL Verification Team CPU Architecture:x86
Tags: passphrase, ssh

[2 Dec 2019 1:55] Bill Newcomb 
Description:
When I try to connect to a remote tunneled over SSH using a passphrase-protected private key, MySQL Workbench is unable to decrypt the private key and the connection fails.  If I remove the passphrase protection from the key by running  "ssh-keygen -p -f .ssh/my_rsa" and specifying a blank password for the new password, subsequent attempts to connect with MySQL Workbench succeed.  

How to repeat:
MySQL server on remote
Disable password authentication for SSH on remote
Generate SSH key pair, specifying a non-empty passphrase
MySQL Workbench on Ubuntu 18.04
Create TCP/IP over SSH connection with no password and private key specified for authentication
Try to connect

Suggested fix:
Prompt for passphrase for encrypted private key, ideally with the option to store passphrase in secure storage

-AND/OR-

Communicate with SSH_AGENT to access unencrypted private key if available
[10 Dec 2019 12:44] MySQL Verification Team 
Hello Bill Newcomb,

Thank you for the report.
To investigate further this issue at our end, may I kindly request you to launch workbench under debug mode (--log-level=debug3) and provide unaltered workbench log file(more details about log are explained here - https://dev.mysql.com/doc/workbench/en/workbench-reporting-bugs.html). Thank you.

Regards,
Ashwini Patil
[7 Jan 2020 8:42] Remko de Keijzer 
Issue also affects Windows.
[14 Jan 2020 11:32] Juho Vanhanen 
Hello,

I'm seeing this as well on both Ubuntu 19.10 and Windows installs.
I have attached wb.log from Ubuntu which shows two connections to the same host, first with encrypted private key and then with same key unencrypted with the command in opening post.

The first connection ends on line
10:19:33 [ERR][     SSH tunnel]: Authentication error opening SSH tunnel: Access denied for 'none'. Authentication that can continue: publickey,password

and second connection attempt starts after that and succeeds.

Best regards,
Juho Vanhanen
[1 Apr 2020 12:11] MySQL Verification Team 
Hello Bill Newcomb,

Thank you for the details.
Please upgrade to 8.0.19 and report us back if issue persist even in 8.0.19 along with unaltered error log. Thank you.

Regards,
Ashwini Patil
[2 May 2020 1:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[21 Mar 2021 2:57] Anton Ingfors 
I am having the exact same issue in version 8.0.23
[27 May 2021 10:29] Remko de Keijzer 
Just tested this work MySQL Workbench 8.0.25 build 788958 CE (64 bits) on Ubuntu 20.04.2 LTS and this issue still occurs.
[8 Jun 2021 7:13] Robin Schmid 
I am having the same issue my private key requires a passphrase.

MySQLWorkbench Version 8.0.25 build 788958 CE (64 bits).

My log (/Library/Application Support/MySQL/Workbench/log) shows:

08:48:36 [INF][SSHTunnelManager]: Wakeup socket port created: 49473
08:48:36 [INF][     SSH tunnel]: Starting tunnel
08:48:36 [INF][     SSH tunnel]: Existing SSH tunnel not found, opening new one
08:48:36 [INF][     SSH tunnel]: Opening SSH tunnel to carvolution01.nine.ch:22
08:48:36 [INF][      SSHCommon]: libssh: ssh_connect ssh_connect: libssh 0.9.5 (c) 2003-2019 Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed under the LGPL, please refer to COPYING file for information about your rights, using threading threads_stdthread
08:48:36 [INF][      SSHCommon]: libssh: ssh_socket_connect ssh_socket_connect: Nonblocking connection socket: 11
08:48:36 [INF][      SSHCommon]: libssh: ssh_connect ssh_connect: Socket connecting, now waiting for the callbacks to work
08:48:36 [INF][      SSHCommon]: libssh: ssh_client_connection_callback ssh_client_connection_callback: SSH server banner: SSH-2.0-OpenSSH_7.6p1
08:48:36 [INF][      SSHCommon]: libssh: ssh_analyze_banner ssh_analyze_banner: Analyzing banner: SSH-2.0-OpenSSH_7.6p1
08:48:36 [INF][      SSHCommon]: libssh: ssh_analyze_banner ssh_analyze_banner: We are talking to an OpenSSH client version: 7.6 (70600)
08:48:36 [INF][      SSHCommon]: libssh: ssh_kex_select_methods ssh_kex_select_methods: Negotiated curve25519-sha256,rsa-sha2-512,aes256-gcm@openssh.com,aes256-gcm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-256-etm@openssh.com,none,none,,
08:48:36 [INF][      SSHCommon]: libssh: ssh_init_rekey_state ssh_init_rekey_state: Set rekey after 4294967296 blocks
08:48:36 [INF][      SSHCommon]: libssh: ssh_init_rekey_state ssh_init_rekey_state: Set rekey after 4294967296 blocks
08:48:36 [INF][      SSHCommon]: libssh: ssh_packet_client_curve25519_reply ssh_packet_client_curve25519_reply: SSH_MSG_NEWKEYS sent
08:48:36 [INF][      SSHCommon]: libssh: ssh_packet_newkeys ssh_packet_newkeys: Received SSH_MSG_NEWKEYS
08:48:36 [INF][      SSHCommon]: libssh: ssh_packet_newkeys ssh_packet_newkeys: Signature verified and valid
08:48:37 [INF][      SSHCommon]: libssh: ssh_packet_userauth_failure ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey,password
08:48:37 [INF][     SSHSession]: Banner: 
08:48:37 [INF][      SSHCommon]: libssh: ssh_pki_import_privkey_base64 ssh_pki_import_privkey_base64: Trying to decode privkey passphrase=true
08:48:37 [INF][      SSHCommon]: libssh: ssh_pki_openssh_import ssh_pki_openssh_import: Opening OpenSSH private key: ciphername: aes256-ctr, kdf: bcrypt, nkeys: 1
08:48:37 [ERR][     SSHSession]: User authentication failed.
08:48:37 [ERR][     SSH tunnel]: Authentication error opening SSH tunnel: Access denied for 'none'. Authentication that can continue: publickey,password

Pls advise.
[28 Oct 2021 22:28] Shawn Stewart 
This is still affecting version 8.0.22 build 107600 SE
[31 Jan 2022 22:20] Ivan H 
Using Microsoft Windows [Version 10.0.22000.434] & MySQL Workbench 8.0.19 I have this issue when using passphrase encryption AND the new openssh format.

Removing the passphrase encryption, or switching back to PEM format allows Workbench to connect.

Non-working encrypted format header:
-----BEGIN OPENSSH PRIVATE KEY-----

Working encrypted format header:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,5B01E932988DC66B

OpenSSH 7.8 changed the default format away from PEM to OPENSSH: https://www.openssh.com/txt/release-7.8

I converted OPENSSH to PEM format with:
ssh-keygen -p -m pem -f keyfile_rsa
[18 Feb 2022 19:47] Stanislav Antipov 
Any updates?
Same problem on macOS with latest v8.0.28
[18 Feb 2022 23:57] Chris Anderson 
I'm also experiencing this on macOS 11.6 with 8.0.28 which is current at time of writing.
[9 Jul 2024 10:43] Stefan Greiner 
Password protected SSH keys still don't work.
Version: 8.0.38
OS: Windows 11 Enterprise

This issue is open since 5!!!! years.