Loïc
2020-Apr-09 14:02 UTC
Keep number of rounds when changing passphrase or comment in private keep file
Hi, In ssh-keygen, if I set the number of rounds to a non default value using -a option and then change the passphrase or the comment: $ ssh-keygen -t ed25519 -Pfoobar -a 100 -f test $ ssh-keygen -c -C "foobar comment" -Pfoobar -f test The number of rounds is reset to the default value. I find this annoying because if I set the number of rounds to a given high number for security, I don't want it to be reduce behind my back when I change the passphrase or the comment. So, I have created patches to change this and make sure the number of rounds is preserved if it is not forced when changing the comment or passphrase. I will send them in the following emails. There are based on the portable git (|https://anongit.mindrot.org/openssh.git).| I'm open to your comments (in particular, I'm not pleased with the name of the struct sshkey_vault). Also, I'm wondering if the comment itself shouldn't be move to this structure. Also, I'm considering to add more field to this structure, like the salt and cypher, in order to add a feature that display the information about the keyfile (type, cypher type, key derivation type, number of rounds, comment...) Thank you Best regards Lo?c
Loïc
2020-Apr-09 14:13 UTC
Keep number of rounds when changing passphrase or comment in private keep file
Hi, And by the way, I created a small python script to partialy parse the private key file (new format) to be able to verify that my patch is working correctly. Here is the script attached. Just run it with the private key file in argument: $ prog/parse_openssh_keys.py test ciphername: aes256-ctr kdfname: bcrypt rounds: 16 salt: d2b48709d4363adedc0ceb698916bc93 nkeys: 1 public_key len: 51 encrypted_len: 160 Hope it helps Best regards Lo?c On 09/04/2020, Lo?c wrote :> Hi, > > In ssh-keygen, if I set the number of rounds to a non default value > using -a option and then change the passphrase or the comment: > > $ ssh-keygen -t ed25519 -Pfoobar -a 100 -f test > $ ssh-keygen -c -C "foobar comment" -Pfoobar -f test > > The number of rounds is reset to the default value. > > I find this annoying because if I set the number of rounds to a given > high number for security, I don't want it to be reduce behind my back > when I change the passphrase or the comment. > > > So, I have created patches to change this and make sure the number of > rounds is preserved if it is not forced when changing the comment or > passphrase. > > I will send them in the following emails. There are based on the > portable git (|https://anongit.mindrot.org/openssh.git).| > > I'm open to your comments (in particular, I'm not pleased with the name > of the struct sshkey_vault). Also, I'm wondering if the comment itself > shouldn't be move to this structure. > > Also, I'm considering to add more field to this structure, like the salt > and cypher, in order to add a feature that display the information about > the keyfile (type, cypher type, key derivation type, number of rounds, > comment...) > > Thank you > > Best regards > > Lo?c > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-------------- next part -------------- A non-text attachment was scrubbed... Name: parse_openssh_keys.py Type: text/x-python Size: 2783 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200409/54da9656/attachment.py>