Hello everyone,we had the pubkey file of an SSH keypair damaged during the transfer to the target system today, and a part of the resulting confusion resulted from the fact that when you ask ssh-keygen to fingerprint the *priv*key, the output may actually represent the *pub*key file's content instead. Reproduced on another machine:
$ ssh-keygen -t rsa -b 2048 -C foo -f orig $ cp orig priv $ ssh-keygen -l -f priv 2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo (RSA) (No pubkey file -> data from the privkey.) $ sed -e 's/$/-bar/' orig.pub > priv.pub $ ssh-keygen -l -f priv 2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo-bar (RSA) (*Changed* comment from the pubkey file.) $ sed -e 's/$/-bar/' -e 's/^s//' orig.pub > priv.pub $ ssh-keygen -l -f priv 2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo (RSA) (*Broken* pubkey -> data from the privkey.) $ sed -e 's/$/-bar/' -e 's/0/1/' orig.pub > priv.pub $ ssh-keygen -l -f priv 2048 SHA256:SYhgtUsy0c0zEj4avKjiiqd+FyTXQeA+Tzq9wIafnhU foo-bar (RSA)(Pubkey with *some* flipped bits -> still gets accepted -> fingerprint and comment from the pubkey file.)
$ sed -e 's/$/-bar/' -e 's/[1-9]/0/g' orig.pub > priv.pub $ ssh-keygen -l -f priv 2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo (RSA)(Pubkey with *major* modifications -> apparently found not to match the privkey -> data from the privkey.)
$ ssh -V OpenSSH_8.7p1, OpenSSL 1.1.1n FIPS 15 Mar 2022 ... is this behavior intentional? Thanks in advance, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
