bugzilla-daemon at bugzilla.mindrot.org
2019-Jun-25 20:01 UTC
[Bug 3023] New: ssh-keygen no longer writes PKCS#1 PEM format
https://bugzilla.mindrot.org/show_bug.cgi?id=3023 Bug ID: 3023 Summary: ssh-keygen no longer writes PKCS#1 PEM format Product: Portable OpenSSH Version: 8.0p1 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: s.e.adams at gmail.com After upgrading OpenSSH 7.9 to 8.0 (while upgrading from Fedora 29 to 30), ssh-keygen can no longer generate PKCS#1 formatted private keys. I'm specifying "-m PEM" to generate keys in the legacy PEM private key format, but the output format has changed between the releases. Is it possible to still generate PKCS#1 formatted keys with OpenSSH 8.0? I'm processing these keys with dropbearconvert, which doesn't support the PKCS#8 format. Example outputs: ## Fedora 29 / OpenSSH 7.9 $ rpm -qa | grep openssh openssh-clients-7.9p1-6.fc29.x86_64 openssh-server-7.9p1-6.fc29.x86_64 openssh-7.9p1-6.fc29.x86_64 $ ssh-keygen -t rsa -b 2048 -m PEM -f ~/id_pem -N "" Generating public/private rsa key pair. Your identification has been saved in /home/foo/id_pem. Your public key has been saved in /home/foo/id_pem.pub. The key fingerprint is: SHA256:SPvtI5cPgKCjrH+wsgYy076vE1NTjcfc9Mc6cdbHG9I foo at localhost The key's randomart image is: +---[RSA 2048]----+ | = o. | | o = .. ..o | | .... o.=E+| | .oo + *. +| | .o. .+ S o . | |*.=. . o . | |+= = . o. | |o.+ . ..+. | |+++*. o.o. | +----[SHA256]-----+ $ head id_pem -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAwkG0o3kuCd7dxQa7cJPWSqZO6eADPgivWJ7aE6vbj7diXoSX UF40roLIgt8lcKVvGaWdrD3YUQLVUMPlKpiyICCVLwLDapP/Qm8v4GoxClVUgjg6 DddQYI8GQImpLCLy3Rg+9EK+ubBkIBngiVMu8y3Q6ZAulTcQthONjyndRZbSxHR2 ---------- ## Fedora 30 / OpenSSH 8.0 $ rpm -qa | grep openssh openssh-8.0p1-4.fc30.x86_64 openssh-server-8.0p1-4.fc30.x86_64 openssh-clients-8.0p1-4.fc30.x86_64 $ ssh-keygen -t rsa -b 2048 -m PEM -f ~/id_pem -N "" Generating public/private rsa key pair. Your identification has been saved in /home/foo/id_pem. Your public key has been saved in /home/foo/id_pem.pub. The key fingerprint is: SHA256:sthFFnvZu0BUN5Evd2UUbme/S7wNiHlAaj6i+Q6dL0o foo at localhost The key's randomart image is: +---[RSA 2048]----+ | . ... +=o| | + o .o.o| | + = . =+| | o = .o.*| | . S o . oo| | + B = o. .| | E * o o + .+ | | . +.o . . ..+| | ++o.. o.| +----[SHA256]-----+ $ head id_pem -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCpoPt4v6ESanwB BZ0Q2k/KQaXBcm5tVYDZPT7jWFlei9x0bfP7MltXy4DyH75T5TwPNocLk9ehWKnA l+vFetu/P9BtGuLyDhb0oGym91NjQbfquDzl+9n/lHJQgFQYZbimXyTJgcqZwOl7 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jun-26 08:16 UTC
[Bug 3023] ssh-keygen no longer writes PKCS#1 PEM format
https://bugzilla.mindrot.org/show_bug.cgi?id=3023 Jakub Jelen <jjelen at redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jjelen at redhat.com --- Comment #1 from Jakub Jelen <jjelen at redhat.com> --- See the bug #3013 which proposed this change. The simplest solution would be to teach dropbear this format. The OpenSSL 1.0 introducing this format was released almost 10 years ago. Otherwise, you can always use openssl to convert the keys for you: openssl pkey -traditional -in /tmp/rsa.pem -out /tmp/rsa-traditional.pem -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jul-05 05:48 UTC
[Bug 3023] ssh-keygen no longer writes PKCS#1 PEM format
https://bugzilla.mindrot.org/show_bug.cgi?id=3023 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|NEW |RESOLVED CC| |dtucker at dtucker.net --- Comment #2 from Darren Tucker <dtucker at dtucker.net> --- This appears to be due to a Fedora specific change and does not apply to any version supplied by the OpenSSH team, so I'm closing this bug. Discussion about any possible changes to the key formats will be over at bug#3013. Thanks for the report. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:52 UTC
[Bug 3023] ssh-keygen no longer writes PKCS#1 PEM format
https://bugzilla.mindrot.org/show_bug.cgi?id=3023 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> --- close bugs that were resolved in OpenSSH 8.5 release cycle -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.