On 2018-04-06 21:42, Bernard Spil wrote:> On 2018-04-06 21:31, Bernard Spil wrote: >> Hi, >> >> When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA and >> ECDSA private keys. >> >> Error loading key "./id_rsa": invalid format >> >> Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed >> this issue early on with LibreSSL 2.7 by converting the key to "new >> file format" (to verify the ecdsa key wasn't corrupted I loaded it in >> >> Fail: >> -----BEGIN EC PRIVATE KEY----- >> Proc-Type: 4,ENCRYPTED >> DEK-Info: AES-128-CBC,<snip> >> >> -----BEGIN RSA PRIVATE KEY----- >> Proc-Type: 4,ENCRYPTED >> DEK-Info: AES-128-CBC,<snip> >> >> Success (both keys after converting): >> -----BEGIN OPENSSH PRIVATE KEY----- >> >> I've been digging through ssh-keygen to find a way to convert them but >> have yet to find the right knobs. -e only exports public keys. >> >> Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2. >> >> Any hints? >> >> Thanks, Bernard. > > Meanwhile, figured out that I can fix this with > > ssh-keygen -po -f keyfile > > before upgrading to LibreSSL 2.7. > > The -o option does not show in the ssh-keygen(1) synopsis. > > Cheers, Bernard.Output from make tests (make test from FreeBSD 7.7p0 port) -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: make-test.out URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180406/b405a1e4/attachment.ksh>
Bernard Spil
2018-Apr-06 19:59 UTC
Fwd: Re: OpenSSH private key format errors with LibreSSL 2.7
-------- Original Message -------- Subject: Re: OpenSSH private key format errors with LibreSSL 2.7 Date: 2018-04-06 21:52 From: Bernard Spil <brnrd at freebsd.org> To: libressl at openbsd.org, openssh-unix-dev at mindrot.org Cc: Kris Moore <kris at ixsystems.com> On 2018-04-06 21:42, Bernard Spil wrote:> On 2018-04-06 21:31, Bernard Spil wrote: >> Hi, >> >> When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA and >> ECDSA private keys. >> >> Error loading key "./id_rsa": invalid format >> >> Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed >> this issue early on with LibreSSL 2.7 by converting the key to "new >> file format" (to verify the ecdsa key wasn't corrupted I loaded it in >> >> Fail: >> -----BEGIN EC PRIVATE KEY----- >> Proc-Type: 4,ENCRYPTED >> DEK-Info: AES-128-CBC,<snip> >> >> -----BEGIN RSA PRIVATE KEY----- >> Proc-Type: 4,ENCRYPTED >> DEK-Info: AES-128-CBC,<snip> >> >> Success (both keys after converting): >> -----BEGIN OPENSSH PRIVATE KEY----- >> >> I've been digging through ssh-keygen to find a way to convert them but >> have yet to find the right knobs. -e only exports public keys. >> >> Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2. >> >> Any hints? >> >> Thanks, Bernard. > > Meanwhile, figured out that I can fix this with > > ssh-keygen -po -f keyfile > > before upgrading to LibreSSL 2.7. > > The -o option does not show in the ssh-keygen(1) synopsis. > > Cheers, Bernard.Output from make tests (make test from FreeBSD 7.7p0 port) Attachment got scrubbed... Script started on Fri Apr 6 21:47:33 2018 Agent pid 49969 [J[brnrd at build openssh-portable]$ [K[?2004hmmake -dl test[?2004l cd /usr/ports/security/openssh-portable && make CONFIG_DONE_OPENSSH-PORTABLE=1 /usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local if [ ! -e /usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local ]; then cd /usr/ports/security/openssh-portable && make /usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local; fi cd /usr/ports/security/openssh-portable/work/openssh-7.7p1 && /usr/bin/env -i OBJ=/usr/ports/security/openssh-portable/work OPENSSLBASE=/usr OPENSSLDIR=/etc/ssl OPENSSLINC=/usr/include OPENSSLLIB=/usr/lib XDG_DATA_HOME=/usr/ports/security/openssh-portable/work XDG_CONFIG_HOME=/usr/ports/security/openssh-portable/work HOME=/usr/ports/security/openssh-portable/work PATH=/usr/ports/security/openssh-portable/work/.bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/brnrd/bin NO_PIE=yes MK_DEBUG_FILES=no MK_KERNEL_SYMBOLS=no SHELL=/bin/sh NO_LINT=YES PREFIX=/usr/local LOCALBASE=/usr/local LIBDIR="/usr/lib" CC="cc" CFLAGS="-O2 -fno-strict-aliasing -pipe -march=native -fstack-protector -isystem /usr/local/include" CPP="cpp" CPPFLAGS="-isystem /usr/local/include" LDFLAGS=" -fstack-protector" LIBS="-L/usr/local/lib" CXX="c++" CXXFLAGS="-O2 -fno-strict-aliasing -pipe -march=native -fstack-protector -isystem /usr/local/include -isystem /usr/local/include" MANPREFIX="/usr/local" BSD_INSTALL_PROGRAM="install -s -m 555" BSD_INSTALL_LIB="install -s -m 0644" BSD_INSTALL_SCRIPT="install -m 555" BSD_INSTALL_DATA="install -m 0644" BSD_INSTALL_MAN="install -m 444" TEST_SHELL=/bin/sh SUDO="" LOGNAME="brnrd" TEST_SSH_TRACE=yes PATH=/usr/ports/security/openssh-portable/work/openssh-7.7p1:/usr/local/bin:/usr/local/sbin:/usr/ports/security/openssh-portable/work/.bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/brnrd/bin /usr/bin/make -f Makefile DESTDIR=/usr/ports/security/openssh-portable/work/stage tests /bin/mkdir -p `pwd`/regress/unittests/test_helper /bin/mkdir -p `pwd`/regress/unittests/sshbuf /bin/mkdir -p `pwd`/regress/unittests/sshkey /bin/mkdir -p `pwd`/regress/unittests/bitmap /bin/mkdir -p `pwd`/regress/unittests/conversion /bin/mkdir -p `pwd`/regress/unittests/hostkeys /bin/mkdir -p `pwd`/regress/unittests/kex /bin/mkdir -p `pwd`/regress/unittests/match /bin/mkdir -p `pwd`/regress/unittests/utf8 /bin/mkdir -p `pwd`/regress/misc/kexfuzz [ -f `pwd`/regress/Makefile ] || ln -s `cd . && pwd`/regress/Makefile `pwd`/regress/Makefile (cd openbsd-compat && /usr/bin/make) BUILDDIR=`pwd`; TEST_SSH_SCP="${BUILDDIR}/scp"; TEST_SSH_SSH="${BUILDDIR}/ssh"; TEST_SSH_SSHD="${BUILDDIR}/sshd"; TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent"; TEST_SSH_SSHADD="${BUILDDIR}/ssh-add"; TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen"; TEST_SSH_SSHPKCS11HELPER="${BUILDDIR}/ssh-pkcs11-helper"; TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan"; TEST_SSH_SFTP="${BUILDDIR}/sftp"; TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"; TEST_SSH_PLINK="plink"; TEST_SSH_PUTTYGEN="puttygen"; TEST_SSH_CONCH="conch"; TEST_SSH_IPV6="yes" ; TEST_SSH_UTF8="yes" ; TEST_SSH_ECC="yes" ; cd ./regress || exit $?; /usr/bin/make .OBJDIR="${BUILDDIR}/regress" .CURDIR="`pwd`" BUILDDIR="${BUILDDIR}" OBJ=""/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress"" PATH="${BUILDDIR}:${PATH}" TEST_ENV=MALLOC_OPTIONS="AJRX" TEST_MALLOC_OPTIONS="AJRX" TEST_SSH_SCP="${TEST_SSH_SCP}" TEST_SSH_SSH="${TEST_SSH_SSH}" TEST_SSH_SSHD="${TEST_SSH_SSHD}" TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}" TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" TEST_SSH_SFTP="${TEST_SSH_SFTP}" TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" TEST_SSH_PLINK="${TEST_SSH_PLINK}" TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}" TEST_SSH_CONCH="${TEST_SSH_CONCH}" TEST_SSH_IPV6="${TEST_SSH_IPV6}" TEST_SSH_UTF8="${TEST_SSH_UTF8}" TEST_SSH_ECC="${TEST_SSH_ECC}" TEST_SHELL="sh" EXEEXT="" tests && echo all tests passed test "x" = "x" || mkdir -p /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/valgrind-out set -e ; if test -z "" ; then V="" ; test "x" = "x" || V=/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/valgrind-unit.sh ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshbuf/test_sshbuf ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshkey/test_sshkey -d /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshkey/testdata ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/bitmap/test_bitmap ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/conversion/test_conversion ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/kex/test_kex ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/hostkeys/test_hostkeys -d /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/hostkeys/testdata ; $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/match/test_match ; if test "xyes" = "xyes" ; then $V /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/utf8/test_utf8 ; fi fi test_sshbuf: .................................................................................................... 101 tests ok test_sshkey: .................................... regress/unittests/sshkey/test_file.c:74 test #37 "parse RSA from private w/ passphrase" ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, (const char *)sshbuf_ptr(pw), &k2, NULL), 0) failed: sshkey_parse_private_fileblob(buf, (const char *)sshbuf_ptr(pw), &k2, NULL) = -4 0 = 0 Abort trap (core dumped) *** Error code 134 Stop. make[1]: stopped in /usr/ports/security/openssh-portable/work/openssh-7.7p1/regress *** Error code 1 Stop. make: stopped in /usr/ports/security/openssh-portable/work/openssh-7.7p1 *** Error code 1 Stop. make: stopped in /usr/ports/security/openssh-portable [J[brnrd at build openssh-portable]$ [K[?2004h[?2004l Script done on Fri Apr 6 21:50:47 2018