On Friday 06 April 2018 21:31:01 Bernard Spil wrote:> Hi, > > When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA and > ECDSA private keys. > > Error loading key "./id_rsa": invalid format > > Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed this > issue early on with LibreSSL 2.7 by converting the key to "new file > format" (to verify the ecdsa key wasn't corrupted I loaded it in > > Fail: > -----BEGIN EC PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: AES-128-CBC,<snip> > > -----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: AES-128-CBC,<snip> > > Success (both keys after converting): > -----BEGIN OPENSSH PRIVATE KEY----- > > I've been digging through ssh-keygen to find a way to convert them but > have yet to find the right knobs. -e only exports public keys. > > Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2. > > Any hints?What does the following say, when compiled with 2.7.2: $ openssl version $ openssl rsa -in ~/.ssh/id_rsa -noout ; echo $? $ ssh -V
On 2018-04-07 9:04, Joel Sing wrote:> On Friday 06 April 2018 21:31:01 Bernard Spil wrote: >> Hi, >> >> When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA and >> ECDSA private keys. >> >> Error loading key "./id_rsa": invalid format >> >> Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed >> this >> issue early on with LibreSSL 2.7 by converting the key to "new file >> format" (to verify the ecdsa key wasn't corrupted I loaded it in >> >> Fail: >> -----BEGIN EC PRIVATE KEY----- >> Proc-Type: 4,ENCRYPTED >> DEK-Info: AES-128-CBC,<snip> >> >> -----BEGIN RSA PRIVATE KEY----- >> Proc-Type: 4,ENCRYPTED >> DEK-Info: AES-128-CBC,<snip> >> >> Success (both keys after converting): >> -----BEGIN OPENSSH PRIVATE KEY----- >> >> I've been digging through ssh-keygen to find a way to convert them but >> have yet to find the right knobs. -e only exports public keys. >> >> Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2. >> >> Any hints? > > What does the following say, when compiled with 2.7.2: > > $ openssl version > $ openssl rsa -in ~/.ssh/id_rsa -noout ; echo $? > $ ssh -VMeanwhile I've figured out that I can prevent issues if I convert the private key file to new format with ssh-keygen -po -f keyfile I had saved my old key as id_rsa-oldformat $ openssl version LibreSSL 2.7.2 $ openssl rsa -in ~/.ssh/id_rsa-oldformat -noout Enter pass phrase for /home/bernard/.ssh/id_rsa-oldformat: $ echo $? 0 $ ssh -V OpenSSH_7.2p2, LibreSSL 2.7.1 $ /usr/local/bin/ssh -V OpenSSH_7.6p1, LibreSSL 2.7.1 I see that I need to recompile ssh with 2.7.2, the libraries they use are 2.7.2 not 2.7.1. Cheers, Bernard.
On 2018-04-07 11:24, Bernard Spil wrote:> On 2018-04-07 9:04, Joel Sing wrote: >> On Friday 06 April 2018 21:31:01 Bernard Spil wrote: >>> Hi, >>> >>> When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA >>> and >>> ECDSA private keys. >>> >>> Error loading key "./id_rsa": invalid format >>> >>> Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed >>> this >>> issue early on with LibreSSL 2.7 by converting the key to "new file >>> format" (to verify the ecdsa key wasn't corrupted I loaded it in >>> >>> Fail: >>> -----BEGIN EC PRIVATE KEY----- >>> Proc-Type: 4,ENCRYPTED >>> DEK-Info: AES-128-CBC,<snip> >>> >>> -----BEGIN RSA PRIVATE KEY----- >>> Proc-Type: 4,ENCRYPTED >>> DEK-Info: AES-128-CBC,<snip> >>> >>> Success (both keys after converting): >>> -----BEGIN OPENSSH PRIVATE KEY----- >>> >>> I've been digging through ssh-keygen to find a way to convert them >>> but >>> have yet to find the right knobs. -e only exports public keys. >>> >>> Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2. >>> >>> Any hints? >> >> What does the following say, when compiled with 2.7.2: >> >> $ openssl version >> $ openssl rsa -in ~/.ssh/id_rsa -noout ; echo $? >> $ ssh -V > > Meanwhile I've figured out that I can prevent issues if I convert the > private key file to new format with > ssh-keygen -po -f keyfile > I had saved my old key as id_rsa-oldformat > > $ openssl version > LibreSSL 2.7.2 > $ openssl rsa -in ~/.ssh/id_rsa-oldformat -noout > Enter pass phrase for /home/bernard/.ssh/id_rsa-oldformat: > $ echo $? > 0 > $ ssh -V > OpenSSH_7.2p2, LibreSSL 2.7.1 > $ /usr/local/bin/ssh -V > OpenSSH_7.6p1, LibreSSL 2.7.1 > > I see that I need to recompile ssh with 2.7.2, the libraries they use > are 2.7.2 not 2.7.1. > > Cheers, Bernard.To rule out issues with OpenSSH in base or ports on FreeBSD, I've now built a vanilla OpenSSH 7.7p1 linked against LibreSSL. No change. $ ./configure --prefix=$HOME/openssh $ make $ make instal $ cd ~/openssh/bin $ ./ssh -V OpenSSH_7.7p1, LibreSSL 2.7.2 $ ldd ./ssh ./ssh: libcrypto.so.43 => /lib/libcrypto.so.43 (0x8008c3000) libutil.so.9 => /lib/libutil.so.9 (0x800cab000) libz.so.6 => /lib/libz.so.6 (0x800ebf000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x8010d8000) libc.so.7 => /lib/libc.so.7 (0x8012f7000) $ ./ssh-add ~/.ssh/id_rsa-oldformat Error loading key "/home/bernard/.ssh/id_rsa-oldformat": invalid format Cheers, Bernard.