Hi Joel, After adding that line 3769 clear_libcrypto_errors(); 3770 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3771 (char *)passphrase)) == NULL) { 3772 r = convert_libcrypto_error(); 3773 ERR_print_errors_fp(stderr); 3774 goto out; 3775 } $ bin/ssh-add ~/.ssh/id_rsa-oldformat 34383182280:error:09FFF072:lib(9):func(4095):reason(114):/usr/src/crypto/libressl/crypto/pem/pem_lib.c:529: Error loading key "/home/bernard/.ssh/id_rsa-oldformat": invalid format Cheers, Bernard. 2018-04-07 14:30 GMT+02:00 Joel Sing <joel@xxxxxxxxxx>: > On Saturday 07 April 2018 11:50:15 Bernard Spil wrote: >> On 2018-04-07 11:24, Bernard Spil wrote: >> > On 2018-04-07 9:04, Joel Sing wrote: >> >> On Friday 06 April 2018 21:31:01 Bernard Spil wrote: >> >>> Hi, >> >>> >> >>> When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA >> >>> and >> >>> ECDSA private keys. >> >>> >> >>> Error loading key "./id_rsa": invalid format >> >>> >> >>> Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed >> >>> this >> >>> issue early on with LibreSSL 2.7 by converting the key to "new file >> >>> format" (to verify the ecdsa key wasn't corrupted I loaded it in >> >>> >> >>> Fail: >> >>> -----BEGIN EC PRIVATE KEY----- >> >>> Proc-Type: 4,ENCRYPTED >> >>> DEK-Info: AES-128-CBC,<snip> >> >>> >> >>> -----BEGIN RSA PRIVATE KEY----- >> >>> Proc-Type: 4,ENCRYPTED >> >>> DEK-Info: AES-128-CBC,<snip> >> >>> >> >>> Success (both keys after converting): >> >>> -----BEGIN OPENSSH PRIVATE KEY----- >> >>> >> >>> I've been digging through ssh-keygen to find a way to convert them >> >>> but >> >>> have yet to find the right knobs. -e only exports public keys. >> >>> >> >>> Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2. >> >>> >> >>> Any hints? >> >> >> >> What does the following say, when compiled with 2.7.2: >> >> >> >> $ openssl version >> >> $ openssl rsa -in ~/.ssh/id_rsa -noout ; echo $? >> >> $ ssh -V >> > >> > Meanwhile I've figured out that I can prevent issues if I convert the >> > private key file to new format with >> > >> > ssh-keygen -po -f keyfile > > This is a workaround - it uses an OpenSSH specific format, rather than > OpenSSL's encrypted PEM. > >> > I had saved my old key as id_rsa-oldformat >> > >> > $ openssl version >> > LibreSSL 2.7.2 >> > $ openssl rsa -in ~/.ssh/id_rsa-oldformat -noout >> > Enter pass phrase for /home/bernard/.ssh/id_rsa-oldformat: >> > $ echo $? >> > 0 > > This confirms that LibreSSL 2.7.2 can still read, decode and decrypt the key. > >> > $ ssh -V >> > OpenSSH_7.2p2, LibreSSL 2.7.1 >> > $ /usr/local/bin/ssh -V >> > OpenSSH_7.6p1, LibreSSL 2.7.1 >> > >> > I see that I need to recompile ssh with 2.7.2, the libraries they use >> > are 2.7.2 not 2.7.1. >> > >> > Cheers, Bernard. >> >> To rule out issues with OpenSSH in base or ports on FreeBSD, I've now >> built a vanilla OpenSSH 7.7p1 linked against LibreSSL. No change. >> >> $ ./configure --prefix=$HOME/openssh >> $ make >> $ make instal >> $ cd ~/openssh/bin >> $ ./ssh -V >> OpenSSH_7.7p1, LibreSSL 2.7.2 >> $ ldd ./ssh >> ./ssh: >> libcrypto.so.43 => /lib/libcrypto.so.43 (0x8008c3000) >> libutil.so.9 => /lib/libutil.so.9 (0x800cab000) >> libz.so.6 => /lib/libz.so.6 (0x800ebf000) >> libcrypt.so.5 => /lib/libcrypt.so.5 (0x8010d8000) >> libc.so.7 => /lib/libc.so.7 (0x8012f7000) >> $ ./ssh-add ~/.ssh/id_rsa-oldformat >> Error loading key "/home/bernard/.ssh/id_rsa-oldformat": invalid format > > I've built LibreSSL 2.7.2 portable and OpenSSH 7.7p1 on a clean system: > > $ ./ssh -V > OpenSSH_7.7p1, LibreSSL 2.7.2 > $ ./ssh-add > Enter passphrase for /home/joel/.ssh/id_rsa: > Identity added: /home/joel/.ssh/id_rsa (/home/joel/.ssh/id_rsa) > > The only thing that really changed from 2.6.4 to 2.7.2 in this area was the > auto-initialisation. I suspect that there is something with your environment > that is triggering the problem. The failure you're seeing is most likely > coming from the PEM_read_bio_PrivateKey() call in > sshkey_parse_private_pem_fileblob() - adding the following after line 3772 of > sshkey.c may give us some insight: > > ERR_print_errors_fp(stderr); > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev