phpseclib 2.0.12 SFTP with private RSA key login failure

Question

I use phpseclib to log in to an SFTP server using a RSA private key. I'm upgrading from phpseclib 1.0 on PHP 5.3 to phpseclib 2.0.12 on PHP 7.2. The old code on PHP5 works just fine, but the upgraded version fails to log in, resulting in the following error message: 1024 Connection closed prematurely in SSH2.php on line 3939. Here are the two different versions:

OLD phpseclib1.0 on PHP5.3 CODE (working):

$key = new Crypt_RSA();
$key->loadKey(file_get_contents('rsaprivate.key'));
$sftp = new Net_SFTP('urltosftpserver');
$sftp->login('username', $key)

NEW phpseclib 2.0.12 on PHP7.2 CODE (failing):

$key = new phpseclib\Crypt\RSA();
$key->loadKey(file_get_contents(__DIR__.'/rsaprivate.key'));
$sftp = new phpseclib\Net\SFTP('urltosftpserver');
$sftp->_privatekey_login("username", $key);

When I look at the value of $key, they don't match in the two different versions of my code. phpseclib1.0 creates integers for value, and phpseclib2.0 creates hex numbers. When I convert the pubseclib 2.0 hex numbers to to integers, they don't match the integers created by pubseclib 1.0. But I am not sure if this has anything to do with my problem.

SNIPPLET FROM pubseclib1.0 var_dump($key):

[value] => 42318...
[is_negative] => 
[generator] => mt_rand
[precision] => -1
[bitmask] => 
[hex] => 

SNIPPLET FROM pubseclib2.0 var_dump($key):

[value] => 0x60f23...
[engine] => bcmath (OpenSSL)

I don't know it it's the RSA key that causes the problem or the _privatekey_login method.

Answer 1

Short Answer

From your 2.0 code:

$sftp->_privatekey_login("username", $key);

Don't do that. Do this:

$sftp->login("username", $key);

Long Answer

login calls _login , which calls _connect and _login_helper . _connect is where fsockopen is called. _login_hepler then conditionally calls _privatekey_login . By calling _privatekey_login directly you're bypassing all the steps that phpseclib normally does.

The documentation does not tell you to do this. The only way you could have even learned about that method is by looking at the source code. Per the PHPDoc comments above _privatekey_login it's clear that that method is intended to be a private method and yet you're still calling it. Indeed, it's comparable method is private in the master branch.