Re: OpenSSH private key format errors with LibreSSL 2.7

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On 2018-04-06 21:42, Bernard Spil wrote:

On 2018-04-06 21:31, Bernard Spil wrote:

Hi,

When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA and
ECDSA private keys.

    Error loading key "./id_rsa": invalid format

Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed
this issue early on with LibreSSL 2.7 by converting the key to "new
file format" (to verify the ecdsa key wasn't corrupted I loaded it in

Fail:
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,<snip>

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,<snip>

Success (both keys after converting):
-----BEGIN OPENSSH PRIVATE KEY-----

I've been digging through ssh-keygen to find a way to convert them but
have yet to find the right knobs. -e only exports public keys.

Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2.

Any hints?

Thanks, Bernard.


Meanwhile, figured out that I can fix this with

    ssh-keygen -po -f keyfile

before upgrading to LibreSSL 2.7.

The -o option does not show in the ssh-keygen(1) synopsis.

Cheers, Bernard.


Output from make tests (make test from FreeBSD 7.7p0 port)
Script started on Fri Apr  6 21:47:33 2018
Agent pid 49969

[brnrd@build openssh-portable]$ [?2004hmmake -dl test[?2004l

cd /usr/ports/security/openssh-portable && make CONFIG_DONE_OPENSSH-PORTABLE=1 /usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local
if [ ! -e /usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local ]; then  cd /usr/ports/security/openssh-portable && make /usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local;  fi
cd /usr/ports/security/openssh-portable/work/openssh-7.7p1 && /usr/bin/env -i  OBJ=/usr/ports/security/openssh-portable/work OPENSSLBASE=/usr OPENSSLDIR=/etc/ssl OPENSSLINC=/usr/include OPENSSLLIB=/usr/lib XDG_DATA_HOME=/usr/ports/security/openssh-portable/work  XDG_CONFIG_HOME=/usr/ports/security/openssh-portable/work  HOME=/usr/ports/security/openssh-portable/work PATH=/usr/ports/security/openssh-portable/work/.bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/brnrd/bin NO_PIE=yes MK_DEBUG_FILES=no MK_KERNEL_SYMBOLS=no SHELL=/bin/sh NO_LINT=YES PREFIX=/usr/local  LOCALBASE=/usr/local  LIBDIR="/usr/lib"  CC="cc" CFLAGS="-O2 -fno-strict-aliasing -pipe -march=native  -fstack-protector -isystem /usr/local/include"  CPP="cpp" CPPFLAGS="-isystem /usr/local/include"  LDFLAGS="  -fstack-protector" LIBS="-L/usr/local/lib"  CXX="c++" CXXFLAGS="-O2 -fno-strict-aliasing -pipe -march=native -fstack-protector -isystem /usr/local/include  -isystem /usr/local/include"  MANPREFIX="/usr/local" BSD_INSTALL_PROGRAM="install  -s -m 555"  BSD_INSTALL_LIB="install  -s -m 0644"  BSD_INSTALL_SCRIPT="install  -m 555"  BSD_INSTALL_DATA="install  -m 0644"  BSD_INSTALL_MAN="install  -m 444"  TEST_SHELL=/bin/sh  SUDO=""  LOGNAME="brnrd"  TEST_SSH_TRACE=yes  PATH=/usr/ports/security/openssh-portable/work/openssh-7.7p1:/usr/local/bin:/usr/local/sbin:/usr/ports/security/openssh-portable/work/.bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/brnrd/bin  /usr/bin/make -f Makefile DESTDIR=/usr/ports/security/openssh-portable/work/stage tests
/bin/mkdir -p `pwd`/regress/unittests/test_helper
/bin/mkdir -p `pwd`/regress/unittests/sshbuf
/bin/mkdir -p `pwd`/regress/unittests/sshkey
/bin/mkdir -p `pwd`/regress/unittests/bitmap
/bin/mkdir -p `pwd`/regress/unittests/conversion
/bin/mkdir -p `pwd`/regress/unittests/hostkeys
/bin/mkdir -p `pwd`/regress/unittests/kex
/bin/mkdir -p `pwd`/regress/unittests/match
/bin/mkdir -p `pwd`/regress/unittests/utf8
/bin/mkdir -p `pwd`/regress/misc/kexfuzz
[ -f `pwd`/regress/Makefile ] ||  ln -s `cd . && pwd`/regress/Makefile `pwd`/regress/Makefile
(cd openbsd-compat && /usr/bin/make)
BUILDDIR=`pwd`;  TEST_SSH_SCP="${BUILDDIR}/scp";  TEST_SSH_SSH="${BUILDDIR}/ssh";  TEST_SSH_SSHD="${BUILDDIR}/sshd";  TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent";  TEST_SSH_SSHADD="${BUILDDIR}/ssh-add";  TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen";  TEST_SSH_SSHPKCS11HELPER="${BUILDDIR}/ssh-pkcs11-helper";  TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan";  TEST_SSH_SFTP="${BUILDDIR}/sftp";  TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server";  TEST_SSH_PLINK="plink";  TEST_SSH_PUTTYGEN="puttygen";  TEST_SSH_CONCH="conch";  TEST_SSH_IPV6="yes" ;  TEST_SSH_UTF8="yes" ;  TEST_SSH_ECC="yes" ;  cd ./regress || exit $?;  /usr/bin/make  .OBJDIR="${BUILDDIR}/regress"  .CURDIR="`pwd`"  BUILDDIR="${BUILDDIR}"  OBJ=""/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress""  PATH="${BUILDDIR}:${PATH}"  TEST_ENV=MALLOC_OPTIONS="AJRX"  TEST_MALLOC_OPTIONS="AJRX"  TEST_SSH_SCP="${TEST_SSH_SCP}"  TEST_SSH_SSH="${TEST_SSH_SSH}"  TEST_SSH_SSHD="${TEST_SSH_SSHD}"  TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}"  TEST_SSH_SSHADD="${TEST_SSH_SSHADD}"  TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}"  TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}"  TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}"  TEST_SSH_SFTP="${TEST_SSH_SFTP}"  TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}"  TEST_SSH_PLINK="${TEST_SSH_PLINK}"  TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}"  TEST_SSH_CONCH="${TEST_SSH_CONCH}"  TEST_SSH_IPV6="${TEST_SSH_IPV6}"  TEST_SSH_UTF8="${TEST_SSH_UTF8}"  TEST_SSH_ECC="${TEST_SSH_ECC}"  TEST_SHELL="sh"  EXEEXT=""  tests && echo all tests passed
test "x" = "x" || mkdir -p /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/valgrind-out
set -e ; if test -z "" ; then  V="" ;  test "x" = "x" ||  V=/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/valgrind-unit.sh ;  $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshbuf/test_sshbuf ;  $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshkey/test_sshkey  -d /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshkey/testdata ;  $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/bitmap/test_bitmap ;  $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/conversion/test_conversion ;  $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/kex/test_kex ;  $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/hostkeys/test_hostkeys  -d /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/hostkeys/testdata ;  $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/match/test_match ;  if test "xyes" = "xyes"  ; then  $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/utf8/test_utf8 ;  fi  fi
test_sshbuf: .................................................................................................... 101 tests ok
test_sshkey: ....................................
regress/unittests/sshkey/test_file.c:74 test #37 "parse RSA from private w/ passphrase"
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, (const char *)sshbuf_ptr(pw), &k2, NULL), 0) failed:
sshkey_parse_private_fileblob(buf, (const char *)sshbuf_ptr(pw), &k2, NULL) = -4
           0 = 0
Abort trap (core dumped)
*** Error code 134

Stop.
make[1]: stopped in /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress
*** Error code 1

Stop.
make: stopped in /usr/ports/security/openssh-portable/work/openssh-7.7p1
*** Error code 1

Stop.
make: stopped in /usr/ports/security/openssh-portable

[brnrd@build openssh-portable]$ [?2004h[?2004l


Script done on Fri Apr  6 21:50:47 2018

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux