I have to connect to a SFTP server. I used first this code :
$Key = new RSA();
$Key->setPassword("password");
$Key->loadKey(file_get_contents('path_to_RSA_private_key'));
$sftp = new SFTP($IP_addr, $port_number);
if (!$sftp->login('username', $Key))
echo date('Y/m/d H:i:s').' SFTP login failed to $IP_addr';
It worked well. I know phpseclib uses default sha1 and I would like to use sha256. So I tried with that code :
$Key = new RSA();
$Key->setHash('sha256');
$Key->setMGFHash('sha256');
$Key->setPassword("password");
$Key->loadKey(file_get_contents('path_to_RSA_private_key'));
$sftp = new SFTP($IP_addr, $port_number);
if (!$sftp->login('username', $Key))
echo date('Y/m/d H:i:s').' SFTP login failed to $IP_addr';
But it doesn't work. I got that message on server :
error: key_verify: invalid format
If necessary, I can send debug logging on server side. This server uses default values for Ciphers, KexAlgorithms and MACs parameters.
Thanks for help.
Quoting RFC4253:
So your setting the hash to sha256 is probably breaking things. And the MGF Hash isn't even used since SSH doesn't support PSS signatures (which is what phpseclib defaults to).
That said, I do think you've hit on an area where phpseclib could use improvement - it sets the signature scheme for SSH to PKCS1 but it doesn't set the hash to sha1. It ought to.
Also, FWIW, RFC8332 describes signing with SHA-256. But this signing still uses RSASSA-PKCS1-v1_5. And just because an RFC exists doesn't mean your server supports it. You can check to see if it does by doing
print_r($ssh->getServerHostKeyAlgorithms())and then seeing ifrsa-sha2-256is in the list that's returned.phpseclib doesn't currently support RFC8332 but I can look into adding support for that in the next few days and submitting a pull request...