bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-14 10:02 UTC
[Bug 2895] New: ecdsa key invalid format after upgrade
https://bugzilla.mindrot.org/show_bug.cgi?id=2895
Bug ID: 2895
Summary: ecdsa key invalid format after upgrade
Product: Portable OpenSSH
Version: 7.7p1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh-add
Assignee: unassigned-bugs at mindrot.org
Reporter: rej at centrum.cz
after upgrade RHED6.8 to Fedora28 (ssh v6 to v7) I'm not able to load
ECDSA key, ssh is telling it has invalid format
RedHat support was able to reproduce this bug too:
https://bugzilla.redhat.com/show_bug.cgi?id=1610222
Why I think problem is in SSH ?
Because openssl has new option check - and it is telling, that private
key is OK.
Thanks for your time.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-15 01:56 UTC
[Bug 2895] ecdsa key invalid format after upgrade
https://bugzilla.mindrot.org/show_bug.cgi?id=2895
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Which exact version of OpenSSH generated they key? What is the output
of "ssh-keygen -vvvlf /path/key"?
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-15 06:00 UTC
[Bug 2895] ecdsa key invalid format after upgrade
https://bugzilla.mindrot.org/show_bug.cgi?id=2895 --- Comment #2 from Rej <rej at centrum.cz> --- Hi, I used CentOS v6.9 to reproduce this problem - there is openssh in version openssh-5.3p1-123.el6_9.x86_64 and it can load and use my key without problem. On Fedora28 there is openssh-7.7p1-5.fc28.x86_64 and it tells me: $ ssh-add id_ecdsa Error loading key "id_ecdsa": invalid format here is output you requested: $ ssh-keygen -vvvlf id_ecdsa 521 SHA256:fMK7A1KpalIDhzir46fTHj9GNIWVXsdsmTL9sCrUvkw Rej (ECDSA) +---[ECDSA 521]---+ | o.. + o | | . o + X | |.. o.o = + | |= . oo= . . . | | = .oo S o | |. o o... E | |...+.. .= . | |+.oooo .+ | |.*=.... .. | +----[SHA256]-----+ -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-15 06:48 UTC
[Bug 2895] ecdsa key invalid format after upgrade
https://bugzilla.mindrot.org/show_bug.cgi?id=2895 --- Comment #3 from Damien Miller <djm at mindrot.org> --- OpenSSH added ECDSA support in release 5.7 (https://www.openssh.com/txt/release-5.7), so I don't understand how you generated an ECDSA key using OpenSSH 5.3. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-15 06:52 UTC
[Bug 2895] ecdsa key invalid format after upgrade
https://bugzilla.mindrot.org/show_bug.cgi?id=2895
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen at redhat.com
--- Comment #4 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 3169
--> https://bugzilla.mindrot.org/attachment.cgi?id=3169&action=edit
ECDSA private key reproducing a problem
Please, see the analysis in the redhat bugzilla. It already answers
most of the questions and points what is different in the old key and a
new key (format: named curve x raw group parameters) and why is it
failing (ec group comparison). I can reproduce the same behavior so I
attached the testing private key.
I suspect this is some change in OpenSSL, how they handle EC group
comparison, but I did not have time to investigate it further. It might
even work for you with LibreSSL.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-23 00:43 UTC
[Bug 2895] ecdsa key invalid format after upgrade
https://bugzilla.mindrot.org/show_bug.cgi?id=2895 --- Comment #5 from Damien Miller <djm at mindrot.org> --- OpenSSH tries to support keys that encode explicit group parameters rather than the group ID. See sshkey.c:sshkey_ecdsa_key_to_nid() This definitely used to work with OpenSSL, but it doesn't seem to now. It does work with libressl. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-25 13:33 UTC
[Bug 2895] ecdsa key invalid format after upgrade
https://bugzilla.mindrot.org/show_bug.cgi?id=2895
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
This seems to be a bug in OpenSSL. OpenSSH does everything I know of to
ascertain and use the correct EC group. Please tell me if this is not
the case and I'll try to fix it.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:53 UTC
[Bug 2895] ecdsa key invalid format after upgrade
https://bugzilla.mindrot.org/show_bug.cgi?id=2895
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #7 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.