Re: OpenSSH private key format errors with LibreSSL 2.7

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On 2018-04-07 11:24, Bernard Spil wrote:

On 2018-04-07 9:04, Joel Sing wrote:

On Friday 06 April 2018 21:31:01 Bernard Spil wrote:

Hi,
When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA and 
ECDSA private keys.

     Error loading key "./id_rsa": invalid format
Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed this 
issue early on with LibreSSL 2.7 by converting the key to "new file
format" (to verify the ecdsa key wasn't corrupted I loaded it in

Fail:
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,<snip>

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,<snip>

Success (both keys after converting):
-----BEGIN OPENSSH PRIVATE KEY-----
I've been digging through ssh-keygen to find a way to convert them but 
have yet to find the right knobs. -e only exports public keys.

Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2.

Any hints?


What does the following say, when compiled with 2.7.2:

$ openssl version
$ openssl rsa -in ~/.ssh/id_rsa -noout ; echo $?
$ ssh -V


Meanwhile I've figured out that I can prevent issues if I convert the
private key file to new format with
   ssh-keygen -po -f keyfile
I had saved my old key as id_rsa-oldformat

$ openssl version
LibreSSL 2.7.2
$ openssl rsa -in ~/.ssh/id_rsa-oldformat -noout
Enter pass phrase for /home/bernard/.ssh/id_rsa-oldformat:
$ echo $?
0
$ ssh -V
OpenSSH_7.2p2, LibreSSL 2.7.1
$ /usr/local/bin/ssh -V
OpenSSH_7.6p1, LibreSSL 2.7.1

I see that I need to recompile ssh with 2.7.2, the libraries they use
are 2.7.2 not 2.7.1.

Cheers, Bernard.
To rule out issues with OpenSSH in base or ports on FreeBSD, I've now built a vanilla OpenSSH 7.7p1 linked against LibreSSL. No change. 

$ ./configure --prefix=$HOME/openssh
$ make
$ make instal
$ cd ~/openssh/bin
$ ./ssh -V
OpenSSH_7.7p1, LibreSSL 2.7.2
$ ldd ./ssh
./ssh:
        libcrypto.so.43 => /lib/libcrypto.so.43 (0x8008c3000)
        libutil.so.9 => /lib/libutil.so.9 (0x800cab000)
        libz.so.6 => /lib/libz.so.6 (0x800ebf000)
        libcrypt.so.5 => /lib/libcrypt.so.5 (0x8010d8000)
        libc.so.7 => /lib/libc.so.7 (0x8012f7000)
$ ./ssh-add ~/.ssh/id_rsa-oldformat
Error loading key "/home/bernard/.ssh/id_rsa-oldformat": invalid format

Cheers, Bernard.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux