Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support new OpenSSH private key format (Used by default with Ed25519 keys) #276

Closed
dkocher opened this issue Oct 14, 2016 · 17 comments · Fixed by #485
Closed

Support new OpenSSH private key format (Used by default with Ed25519 keys) #276

dkocher opened this issue Oct 14, 2016 · 17 comments · Fixed by #485
Assignees
Labels

Comments

@dkocher
Copy link
Contributor

dkocher commented Oct 14, 2016

No description provided.

@dkocher
Copy link
Contributor Author

dkocher commented Oct 14, 2016

When I create a key with OpenSSH running ssh-keygen -t ed25519 the file header is
-----BEGIN OPENSSH PRIVATE KEY----- which is no where handled in any of the FileKeyProvider.

@hierynomus
Copy link
Owner

Ok, I'll have a look next week :)

2016-10-14 13:04 GMT+02:00 David Kocher [email protected]:

When I create a key with OpenSSH running ssh-keygen -t ed25519 the file
header is
-----BEGIN OPENSSH PRIVATE KEY----- which is no where handled in any of
the FileKeyProvider.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#276 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAHLo-F5Mscy0xFzSHIMn5B4wsOqIy5vks5qz2HRgaJpZM4KW1Dd
.

@dkocher
Copy link
Contributor Author

dkocher commented Oct 14, 2016

 -o      Causes ssh-keygen to save private keys using the new OpenSSH format rather than the more compatible PEM format.  The new format has increased resistance to brute-force pass-
         word cracking but is not supported by versions of OpenSSH prior to 6.5.  Ed25519 keys always use the new private key format.

@hierynomus
Copy link
Owner

Thanks, though we can read files with that header, see: https://github.com/hierynomus/sshj/blob/master/src/test/java/net/schmizz/sshj/keyprovider/OpenSSHKeyFileTest.java#L144

And I do remember testing with a host with only an ed25519 key. I'll need to re-verify

@dkocher
Copy link
Contributor Author

dkocher commented Oct 14, 2016

Calling #getPrivate() on the key file will result in unrecognised object: OPENSSH PRIVATE KEY.

@dkocher dkocher changed the title Support Ed25519 public keys Support new OpenSSH private key format (Used by default with Ed25519 keys) Oct 14, 2016
@hierynomus
Copy link
Owner

Ok, will fix :)

2016-10-14 13:47 GMT+02:00 David Kocher [email protected]:

Calling #getPrivate() on the key file will result in unrecognised object:
OPENSSH PRIVATE KEY.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#276 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAHLo2V9RLslze6AIexnfALpfW8-Zjl7ks5qz2vZgaJpZM4KW1Dd
.

@dkocher
Copy link
Contributor Author

dkocher commented Oct 17, 2016

@hierynomus Do you already have an ETA for this?

@hierynomus
Copy link
Owner

Will try to get it done this week...

@dkocher
Copy link
Contributor Author

dkocher commented Oct 19, 2016

@hierynomus Awesome.

@hierynomus
Copy link
Owner

Just had a quick look into this... We typically rely on BouncyCastle to read the keys, and guess what, it does not support this format (yet)...

@dkocher
Copy link
Contributor Author

dkocher commented Oct 19, 2016

@hierynomus Have you found any spec on the file format?

@hierynomus
Copy link
Owner

I think I can work it out using these links:

The commit responsible for the new change is http://marc.info/?l=openbsd-cvs&m=138633690918227&w=2.
PROTOCOL description https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key.
General information http://www.tedunangst.com/flak/post/new-openssh-key-format-and-bcrypt-pbkdf

If you find more info, feel free to add!

@hierynomus
Copy link
Owner

@dkocher
Copy link
Contributor Author

dkocher commented Dec 20, 2018

I would like to have this issue reopend. Reading SSH keys of type RSA and ecdsa in the new format does not work.

The failure is a message like Bad item length: -1512035316 which is caused from reading the key in OpenSSHKeyV1KeyFile.

This is as of OpenSSH 7.8 the default.

  • ssh-keygen(1): write OpenSSH format private keys by default
    instead of using OpenSSL's PEM format. The OpenSSH format,
    supported in OpenSSH releases since 2014 and described in the
    PROTOCOL.key file in the source distribution, offers substantially
    better protection against offline password guessing and supports
    key comments in private keys. If necessary, it is possible to write
    old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments
    when generating or updating a key.

Workaround is to use ssh-keygen -m PEM.

@hierynomus hierynomus reopened this Dec 20, 2018
@hierynomus
Copy link
Owner

Reopened... Let's fix that :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants