Debian Bug report logs - #668271
libssh2-1: The libssh2 has several limitations when configured --with-libgcrypt. Please do not use libgcrypt.

version graph

Package: libssh2-1; Maintainer for libssh2-1 is Mikhail Gusarov <dottedmag@debian.org>; Source for libssh2-1 is src:libssh2.

Reported by: Oleksiy Zagorskyi <zalex_ua@i.ua>

Date: Tue, 10 Apr 2012 11:18:01 UTC

Severity: normal

Found in version libssh2/1.4.0-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Mikhail Gusarov <dottedmag@debian.org>:
Bug#668271; Package libssh2-1. (Tue, 10 Apr 2012 11:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Oleksiy Zagorskyi <zalex_ua@i.ua>:
New Bug report received and forwarded. Copy sent to Mikhail Gusarov <dottedmag@debian.org>. (Tue, 10 Apr 2012 11:18:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Oleksiy Zagorskyi <zalex_ua@i.ua>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libssh2-1: The libssh2 has several limitations when configured --with-libgcrypt. Please do not use libgcrypt.
Date: Tue, 10 Apr 2012 14:08:51 +0300
Package: libssh2-1
Version: 1.4.0-1
Severity: normal


This case reported already in one of tools whis uses libssh2: https://support.zabbix.com/browse/ZBX-4850
Here is almost the same description:

Debain'n package is using Libgcrypt:
http://packages.debian.org/squeeze/libssh2-1
Why it happened?
Here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409362
And as result Debian's package is using Libgcrypt :(

In the same time openssh-client is using only OpenSSL:
http://packages.debian.org/squeeze/openssh-client
so, the problen is not visible when try an private key *with* passphrase from console (by openssh-client).


Quoting Simon:
"The Libgcrypt backend in libssh2 contains a hand written
slimmed down ASN.1 parser to read out the RSA key, but it does not
support any of the PKCS* encrypted forms of RSA keys.  The OpenSSL
backend in libssh2 uses OpenSSL to read the keys, so it supports
whatever private key formats that OpenSSL supports."
and
"Are you using libgcrypt or OpenSSL as the backend?  The libgcrypt
backend can only read unencrypted private keys."

Sources:
http://www.mail-archive.com/libssh2-devel@cool.haxx.se/msg02226.html
http://www.mail-archive.com/libssh2-devel@cool.haxx.se/msg02057.html

>From a #libssh2 on a Freenode I learned that Simon is the author of the libgcrypt backend for libssh


The library libssh2 for several other checked distros (centos, gentoo) and freebsd is using default OpenSSL

So, I'd suggest to discard changes performed in the http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409362

Thanks!


-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libssh2-1 depends on:
ii  libc6                   2.11.3-2         Embedded GNU C Library: Shared lib
ii  libgcrypt11             1.4.5-2          LGPL Crypto library - runtime libr
ii  multiarch-support       2.13-27          Transitional package to ensure mul
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

libssh2-1 recommends no packages.

libssh2-1 suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Mikhail Gusarov <dottedmag@debian.org>:
Bug#668271; Package libssh2-1. (Tue, 10 Apr 2012 15:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Oleksiy Zagorskyi <zalex_ua@i.ua>:
Extra info received and forwarded to list. Copy sent to Mikhail Gusarov <dottedmag@debian.org>. (Tue, 10 Apr 2012 15:42:03 GMT) Full text and rfc822 format available.

Message #10 received at 668271@bugs.debian.org (full text, mbox):

From: Oleksiy Zagorskyi <zalex_ua@i.ua>
To: 668271@bugs.debian.org
Subject: additional notes
Date: Tue, 10 Apr 2012 18:29:53 +0300
Additionally, a function "_libssh2_pub_priv_keyfile" doesn't work with 
libgcrypt backend, but works with OpenSSL.
I believe there are other functions as well.




Information forwarded to debian-bugs-dist@lists.debian.org, Mikhail Gusarov <dottedmag@debian.org>:
Bug#668271; Package libssh2-1. (Tue, 10 Apr 2012 17:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mikhail Gusarov <dottedmag@dottedmag.net>:
Extra info received and forwarded to list. Copy sent to Mikhail Gusarov <dottedmag@debian.org>. (Tue, 10 Apr 2012 17:33:05 GMT) Full text and rfc822 format available.

Message #15 received at 668271@bugs.debian.org (full text, mbox):

From: Mikhail Gusarov <dottedmag@dottedmag.net>
To: Oleksiy Zagorskyi <zalex_ua@i.ua>
Cc: 668271@bugs.debian.org
Subject: Re: Bug#668271: libssh2-1: The libssh2 has several limitations when configured --with-libgcrypt. Please do not use libgcrypt.
Date: Tue, 10 Apr 2012 17:26:46 +0200
[Message part 1 (text/plain, inline)]
Oleksiy,

apt-rdepends -r libssh2-1 lists at least 2556 packages, so enabling
OpenSSL would require all GPL-ed reverse-depends to add a clause to
their license that allows the package in question to be linked against
OpenSSL.

According to GPL usage statistics and amount of subpackages amongst the
reverse-depends, it amounts to ~500 upstream projects to change their
license.

Once it is done, I will definitely change the libssh2 backend.

-- 
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 01:59:47 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.