Handle encrypted signing keys

[nsheridan]

Right now trying to use a private key with a passphrase will produce errors like:

ecdsa key:

2016/05/29 18:22:53 unable to parse CA key: asn1: structure error: tags don't match (16 vs {class:3 tag:2629 length:91 isCompound:false}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @4
exit status 1

rsa or ed25519 key:

2016/05/29 18:23:47 unable to parse CA key: asn1: structure error: length too large

[patrickod]

This would appear to require a patch to the golang ssh codebase to take into account the DEK-Info header that's included in the PEM block for encrypted SSH keys. Investigating a patch - would love to contribute such a thing into the golang project.

[nsheridan]

Yeah it's more effort than I'm willing to expend currently, especially as the signing key can be stored unencrypted in a reasonably safe medium (e.g. a Hashicorp vault or on S3 encrypted with kms).

Also usual annoyances of requirement to either set the passphrase in the config or be present to decrypt the key manually.

[lyda]

I think you'll need golang/go#18692 fixed first.