On 2018-04-07 14:30, Joel Sing wrote:
On Saturday 07 April 2018 11:50:15 Bernard Spil wrote:
On 2018-04-07 11:24, Bernard Spil wrote:
> On 2018-04-07 9:04, Joel Sing wrote:
>> On Friday 06 April 2018 21:31:01 Bernard Spil wrote:
>>> Hi,
>>>
>>> When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA
>>> and
>>> ECDSA private keys.
>>>
>>> Error loading key "./id_rsa": invalid format
>>>
>>> Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed
>>> this
>>> issue early on with LibreSSL 2.7 by converting the key to "new file
>>> format" (to verify the ecdsa key wasn't corrupted I loaded it in
>>>
>>> Fail:
>>> -----BEGIN EC PRIVATE KEY-----
>>> Proc-Type: 4,ENCRYPTED
>>> DEK-Info: AES-128-CBC,<snip>
>>>
>>> -----BEGIN RSA PRIVATE KEY-----
>>> Proc-Type: 4,ENCRYPTED
>>> DEK-Info: AES-128-CBC,<snip>
>>>
>>> Success (both keys after converting):
>>> -----BEGIN OPENSSH PRIVATE KEY-----
>>>
>>> I've been digging through ssh-keygen to find a way to convert them
>>> but
>>> have yet to find the right knobs. -e only exports public keys.
>>>
>>> Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2.
>>>
>>> Any hints?
>>
>> What does the following say, when compiled with 2.7.2:
>>
>> $ openssl version
>> $ openssl rsa -in ~/.ssh/id_rsa -noout ; echo $?
>> $ ssh -V
>
> Meanwhile I've figured out that I can prevent issues if I convert the
> private key file to new format with
>
> ssh-keygen -po -f keyfile
This is a workaround - it uses an OpenSSH specific format, rather than
OpenSSL's encrypted PEM.
> I had saved my old key as id_rsa-oldformat
>
> $ openssl version
> LibreSSL 2.7.2
> $ openssl rsa -in ~/.ssh/id_rsa-oldformat -noout
> Enter pass phrase for /home/bernard/.ssh/id_rsa-oldformat:
> $ echo $?
> 0
This confirms that LibreSSL 2.7.2 can still read, decode and decrypt
the key.
> $ ssh -V
> OpenSSH_7.2p2, LibreSSL 2.7.1
> $ /usr/local/bin/ssh -V
> OpenSSH_7.6p1, LibreSSL 2.7.1
>
> I see that I need to recompile ssh with 2.7.2, the libraries they use
> are 2.7.2 not 2.7.1.
>
> Cheers, Bernard.
To rule out issues with OpenSSH in base or ports on FreeBSD, I've now
built a vanilla OpenSSH 7.7p1 linked against LibreSSL. No change.
$ ./configure --prefix=$HOME/openssh
$ make
$ make instal
$ cd ~/openssh/bin
$ ./ssh -V
OpenSSH_7.7p1, LibreSSL 2.7.2
$ ldd ./ssh
./ssh:
libcrypto.so.43 => /lib/libcrypto.so.43 (0x8008c3000)
libutil.so.9 => /lib/libutil.so.9 (0x800cab000)
libz.so.6 => /lib/libz.so.6 (0x800ebf000)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x8010d8000)
libc.so.7 => /lib/libc.so.7 (0x8012f7000)
$ ./ssh-add ~/.ssh/id_rsa-oldformat
Error loading key "/home/bernard/.ssh/id_rsa-oldformat": invalid
format
I've built LibreSSL 2.7.2 portable and OpenSSH 7.7p1 on a clean system:
$ ./ssh -V
OpenSSH_7.7p1, LibreSSL 2.7.2
$ ./ssh-add
Enter passphrase for /home/joel/.ssh/id_rsa:
Identity added: /home/joel/.ssh/id_rsa (/home/joel/.ssh/id_rsa)
The only thing that really changed from 2.6.4 to 2.7.2 in this area was
the
auto-initialisation. I suspect that there is something with your
environment
that is triggering the problem. The failure you're seeing is most
likely
coming from the PEM_read_bio_PrivateKey() call in
sshkey_parse_private_pem_fileblob() - adding the following after line
3772 of
sshkey.c may give us some insight:
ERR_print_errors_fp(stderr);
Hi Joel,
Added that to sshkey.c
3770 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL,
3771 (char *)passphrase)) == NULL) {
3772 r = convert_libcrypto_error();
3773 ERR_print_errors_fp(stderr);
3774 goto out;
3775 }
rebuilt/installed, error persists, output
$ ~/openssh/bin/ssh-add ~/.ssh/id_rsa-oldformat
34383182280:error:09FFF072:lib(9):func(4095):reason(114):/usr/src/crypto/libressl/crypto/pem/pem_lib.c:529:
Error loading key "/home/bernard/.ssh/id_rsa-oldformat": invalid format
Cheers, Bernard.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
