openssh bugs - Jun 2019 - [Bug 3023] New: ssh-keygen no longer writes PKCS#1 PEM format

https://bugzilla.mindrot.org/show_bug.cgi?id=3023

            Bug ID: 3023
           Summary: ssh-keygen no longer writes PKCS#1 PEM format
           Product: Portable OpenSSH
           Version: 8.0p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: s.e.adams at gmail.com

After upgrading OpenSSH 7.9 to 8.0 (while upgrading from Fedora 29 to
30), ssh-keygen can no longer generate PKCS#1 formatted private keys. 
I'm specifying "-m PEM" to generate keys in the legacy PEM private
key
format, but the output format has changed between the releases.

Is it possible to still generate PKCS#1 formatted keys with OpenSSH
8.0?  I'm processing these keys with dropbearconvert, which doesn't
support the PKCS#8 format.


Example outputs:


## Fedora 29 / OpenSSH 7.9

$ rpm -qa | grep openssh
openssh-clients-7.9p1-6.fc29.x86_64
openssh-server-7.9p1-6.fc29.x86_64
openssh-7.9p1-6.fc29.x86_64

$ ssh-keygen -t rsa -b 2048 -m PEM -f ~/id_pem -N ""
Generating public/private rsa key pair.
Your identification has been saved in /home/foo/id_pem.
Your public key has been saved in /home/foo/id_pem.pub.
The key fingerprint is:
SHA256:SPvtI5cPgKCjrH+wsgYy076vE1NTjcfc9Mc6cdbHG9I foo at localhost
The key's randomart image is:
+---[RSA 2048]----+
|       = o.      |
|      o = .. ..o |
|    ....    o.=E+|
|   .oo +     *. +|
| .o. .+ S   o  . |
|*.=.   . o   .   |
|+= =    . o.     |
|o.+ .   ..+.     |
|+++*.    o.o.    |
+----[SHA256]-----+

$ head id_pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwkG0o3kuCd7dxQa7cJPWSqZO6eADPgivWJ7aE6vbj7diXoSX
UF40roLIgt8lcKVvGaWdrD3YUQLVUMPlKpiyICCVLwLDapP/Qm8v4GoxClVUgjg6
DddQYI8GQImpLCLy3Rg+9EK+ubBkIBngiVMu8y3Q6ZAulTcQthONjyndRZbSxHR2


----------


## Fedora 30 / OpenSSH 8.0

$ rpm -qa | grep openssh
openssh-8.0p1-4.fc30.x86_64
openssh-server-8.0p1-4.fc30.x86_64
openssh-clients-8.0p1-4.fc30.x86_64

$ ssh-keygen -t rsa -b 2048 -m PEM -f ~/id_pem -N ""
Generating public/private rsa key pair.
Your identification has been saved in /home/foo/id_pem.
Your public key has been saved in /home/foo/id_pem.pub.
The key fingerprint is:
SHA256:sthFFnvZu0BUN5Evd2UUbme/S7wNiHlAaj6i+Q6dL0o foo at localhost
The key's randomart image is:
+---[RSA 2048]----+
|        . ... +=o|
|         + o .o.o|
|        + = .  =+|
|       o =   .o.*|
|      . S o .  oo|
|     + B   = o. .|
|    E * o o + .+ |
|   . +.o . .  ..+|
|    ++o..      o.|
+----[SHA256]-----+

$ head id_pem
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCpoPt4v6ESanwB
BZ0Q2k/KQaXBcm5tVYDZPT7jWFlei9x0bfP7MltXy4DyH75T5TwPNocLk9ehWKnA
l+vFetu/P9BtGuLyDhb0oGym91NjQbfquDzl+9n/lHJQgFQYZbimXyTJgcqZwOl7

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3023

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
See the bug #3013 which proposed this change.

The simplest solution would be to teach dropbear this format. The
OpenSSL 1.0 introducing this format was released almost 10 years ago.

Otherwise, you can always use openssl to convert the keys for you:

openssl pkey -traditional -in /tmp/rsa.pem -out
/tmp/rsa-traditional.pem

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3023

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED
                 CC|                            |dtucker at dtucker.net

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
This appears to be due to a Fedora specific change and does not apply
to any version supplied by the OpenSSH team, so I'm closing this bug. 
Discussion about any possible changes to the key formats will be over
at bug#3013.  Thanks for the report.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3023

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.