Fwd: Re: OpenSSH private key format errors with LibreSSL 2.7

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

-------- Original Message --------
Subject: Re: OpenSSH private key format errors with LibreSSL 2.7
Date: 2018-04-06 21:52
From: Bernard Spil <brnrd@xxxxxxxxxxx>
To: libressl@xxxxxxxxxxx, openssh-unix-dev@xxxxxxxxxxx
Cc: Kris Moore <kris@xxxxxxxxxxxxx>

On 2018-04-06 21:42, Bernard Spil wrote:

On 2018-04-06 21:31, Bernard Spil wrote:

Hi,

When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA and
ECDSA private keys.

    Error loading key "./id_rsa": invalid format

Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed
this issue early on with LibreSSL 2.7 by converting the key to "new
file format" (to verify the ecdsa key wasn't corrupted I loaded it in

Fail:
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,<snip>

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,<snip>

Success (both keys after converting):
-----BEGIN OPENSSH PRIVATE KEY-----

I've been digging through ssh-keygen to find a way to convert them but
have yet to find the right knobs. -e only exports public keys.

Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2.

Any hints?

Thanks, Bernard.


Meanwhile, figured out that I can fix this with

    ssh-keygen -po -f keyfile

before upgrading to LibreSSL 2.7.

The -o option does not show in the ssh-keygen(1) synopsis.

Cheers, Bernard.


Output from make tests (make test from FreeBSD 7.7p0 port)

Attachment got scrubbed...

Script started on Fri Apr  6 21:47:33 2018
Agent pid 49969
[brnrd@build openssh-portable]$ [?2004hmmake -dl test[?2004l
cd /usr/ports/security/openssh-portable && make CONFIG_DONE_OPENSSH-PORTABLE=1 /usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local if [ ! -e /usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local ]; then cd /usr/ports/security/openssh-portable && make /usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local; fi cd /usr/ports/security/openssh-portable/work/openssh-7.7p1 && /usr/bin/env -i OBJ=/usr/ports/security/openssh-portable/work OPENSSLBASE=/usr OPENSSLDIR=/etc/ssl OPENSSLINC=/usr/include OPENSSLLIB=/usr/lib XDG_DATA_HOME=/usr/ports/security/openssh-portable/work XDG_CONFIG_HOME=/usr/ports/security/openssh-portable/work HOME=/usr/ports/security/openssh-portable/work PATH=/usr/ports/security/openssh-portable/work/.bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/brnrd/bin NO_PIE=yes MK_DEBUG_FILES=no MK_KERNEL_SYMBOLS=no SHELL=/bin/sh NO_LINT=YES PREFIX=/usr/local LOCALBASE=/usr/local LIBDIR="/usr/lib" CC="cc" CFLAGS="-O2 -fno-strict-aliasing -pipe -march=native -fstack-protector -isystem /usr/local/include" CPP="cpp" CPPFLAGS="-isystem /usr/local/include" LDFLAGS=" -fstack-protector" LIBS="-L/usr/local/lib" CXX="c++" CXXFLAGS="-O2 -fno-strict-aliasing -pipe -march=native -fstack-protector -isystem /usr/local/include -isystem /usr/local/include" MANPREFIX="/usr/local" BSD_INSTALL_PROGRAM="install -s -m 555" BSD_INSTALL_LIB="install -s -m 0644" BSD_INSTALL_SCRIPT="install -m 555" BSD_INSTALL_DATA="install -m 0644" BSD_INSTALL_MAN="install -m 444" TEST_SHELL=/bin/sh SUDO="" LOGNAME="brnrd" TEST_SSH_TRACE=yes PATH=/usr/ports/security/openssh-portable/work/openssh-7.7p1:/usr/local/bin:/usr/local/sbin:/usr/ports/security/openssh-portable/work/.bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/brnrd/bin /usr/bin/make -f Makefile DESTDIR=/usr/ports/security/openssh-portable/work/stage tests 
/bin/mkdir -p `pwd`/regress/unittests/test_helper
/bin/mkdir -p `pwd`/regress/unittests/sshbuf
/bin/mkdir -p `pwd`/regress/unittests/sshkey
/bin/mkdir -p `pwd`/regress/unittests/bitmap
/bin/mkdir -p `pwd`/regress/unittests/conversion
/bin/mkdir -p `pwd`/regress/unittests/hostkeys
/bin/mkdir -p `pwd`/regress/unittests/kex
/bin/mkdir -p `pwd`/regress/unittests/match
/bin/mkdir -p `pwd`/regress/unittests/utf8
/bin/mkdir -p `pwd`/regress/misc/kexfuzz
[ -f `pwd`/regress/Makefile ] || ln -s `cd . && pwd`/regress/Makefile `pwd`/regress/Makefile 
(cd openbsd-compat && /usr/bin/make)
BUILDDIR=`pwd`; TEST_SSH_SCP="${BUILDDIR}/scp"; TEST_SSH_SSH="${BUILDDIR}/ssh"; TEST_SSH_SSHD="${BUILDDIR}/sshd"; TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent"; TEST_SSH_SSHADD="${BUILDDIR}/ssh-add"; TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen"; TEST_SSH_SSHPKCS11HELPER="${BUILDDIR}/ssh-pkcs11-helper"; TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan"; TEST_SSH_SFTP="${BUILDDIR}/sftp"; TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"; TEST_SSH_PLINK="plink"; TEST_SSH_PUTTYGEN="puttygen"; TEST_SSH_CONCH="conch"; TEST_SSH_IPV6="yes" ; TEST_SSH_UTF8="yes" ; TEST_SSH_ECC="yes" ; cd ./regress || exit $?; /usr/bin/make .OBJDIR="${BUILDDIR}/regress" .CURDIR="`pwd`" BUILDDIR="${BUILDDIR}" OBJ=""/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress"" PATH="${BUILDDIR}:${PATH}" TEST_ENV=MALLOC_OPTIONS="AJRX" TEST_MALLOC_OPTIONS="AJRX" TEST_SSH_SCP="${TEST_SSH_SCP}" TEST_SSH_SSH="${TEST_SSH_SSH}" TEST_SSH_SSHD="${TEST_SSH_SSHD}" TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}" TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" TEST_SSH_SFTP="${TEST_SSH_SFTP}" TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" TEST_SSH_PLINK="${TEST_SSH_PLINK}" TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}" TEST_SSH_CONCH="${TEST_SSH_CONCH}" TEST_SSH_IPV6="${TEST_SSH_IPV6}" TEST_SSH_UTF8="${TEST_SSH_UTF8}" TEST_SSH_ECC="${TEST_SSH_ECC}" TEST_SHELL="sh" EXEEXT="" tests && echo all tests passed test "x" = "x" || mkdir -p /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/valgrind-out set -e ; if test -z "" ; then V="" ; test "x" = "x" || V=/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/valgrind-unit.sh ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshbuf/test_sshbuf ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshkey/test_sshkey -d /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshkey/testdata ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/bitmap/test_bitmap ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/conversion/test_conversion ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/kex/test_kex ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/hostkeys/test_hostkeys -d /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/hostkeys/testdata ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/match/test_match ; if test "xyes" = "xyes" ; then $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/utf8/test_utf8 ; fi fi test_sshbuf: .................................................................................................... 101 tests ok 
test_sshkey: ....................................
regress/unittests/sshkey/test_file.c:74 test #37 "parse RSA from private w/ passphrase" ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, (const char *)sshbuf_ptr(pw), &k2, NULL), 0) failed: sshkey_parse_private_fileblob(buf, (const char *)sshbuf_ptr(pw), &k2, NULL) = -4 
           0 = 0
Abort trap (core dumped)
*** Error code 134

Stop.
make[1]: stopped in /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress 
*** Error code 1

Stop.
make: stopped in /usr/ports/security/openssh-portable/work/openssh-7.7p1
*** Error code 1

Stop.
make: stopped in /usr/ports/security/openssh-portable

[brnrd@build openssh-portable]$ [?2004h[?2004l


Script done on Fri Apr  6 21:50:47 2018
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux