search for: pkcs8

...l Status: NEW Severity: normal Priority: P5 Component: Documentation Assignee: unassigned-bugs at mindrot.org Reporter: kazakevichilya at gmail.com According to "man ssh-config", "-m" support following formats: "?PKCS8? (PEM PKCS8 public key)" and "?PEM? (PEM public key)". This is not true. First of all they are both PEM (Base64 encoded DER). And PKCS8 is for *private* keys only. What you call "PKCS8" is "SubjectPublicKeyInfo" and it is encoded in PEM. What you call "PEM&...

https://bugzilla.mindrot.org/show_bug.cgi?id=3724 Bug ID: 3724 Summary: Unable to convert from OpenSSH to PKCS8 or PEM Product: Portable OpenSSH Version: 9.8p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: M...

...this, but it is the most logical thing to do for me. Adding this to -l option is not appropriate because fingerprinting is using the .pub file when available. An other idea is to add a new option, I can do it if you prefer. Also, I'm laking information for information extraction from PEM and PKCS8 file format, I'm OK to have a pointer to implement this correctly. This patch is also adding a regression test for the functionnality. --- ?authfile.c??????????????????????????? |? 16 ++-- ?authfile.h??????????????????????????? |?? 7 +- ?regress/Makefile????????????????????? |?? 3 +- ?regres...

...++++++++++++++++++++++++++++++++++++++++- 2 files changed, 69 insertions(+), 3 deletions(-) diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 41da207..88451ac 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -334,9 +334,11 @@ The supported key formats are: (RFC 4716/SSH2 public or private key), .Dq PKCS8 (PEM PKCS8 public key) -or .Dq PEM -(PEM public key). +(PEM public key) +or +.Dq SUBJECTINFO +(SubjectPublicKeyInfo public key). The default conversion format is .Dq RFC4716 . .It Fl N Ar new_passphrase diff --git a/ssh-keygen.c b/ssh-keygen.c index 5fcd3a1..072c49a 100644 --- a/ssh-keygen.c +...

I am trying to understand a change to ssh-keygen that is included with OS X Mavericks, 6.2p2 that prevents the option, -m PKCS8, from working. Previous to Mavericks I had 5.9p1 and didn''t have this problem. This used to work previously- ssh-keygen -e -m PKCS8 -f $my_rsa_public_key Now it outputs- -----BEGIN PUBLIC KEY----- -----END PUBLIC KEY----- PEM_write_RSA_PUBKEY failed I think this is the change, line 296...

...at gmail.com I generate a ED25519 key using OpenSSL: openssl genpkey -algorithm ED25519 -out key_ed25519.pem After that I extracted the public key: openssl pkey -in key_ed25519.pem -pubout -out public_ed25519.pem And then I try to get the SSH public key to put on authorized_keys: ssh-keygen -i -m PKCS8 -f public_ed25519.pem The error was: do_convert_from_pkcs8: unsupported pubkey type 1087 So I think ssh-keygen can't convert a ED25519 public key. The expected result was something like: ssh-ed25519 AAAA... I found a tool called sshpk (https://www.npmjs.com/package/sshpk) which converts correct...

...feasible and means you need a much longer password to mitigate them. Seems like it might be useful if OpenSSH at least had the option of using an encoding with some decent key stretching to me. Is there any good reason not to, and to not have it as the default? OpenSSH seems quite happy to accept PKCS8 keys with PBKDF2 currently, it just doesn't generate them. You just need to do it yourself e.g. http://martin.kleppmann.com/ssh-keys.html The keys generated in that article are also 3DES unfortunately but that's only because it's the default cipher here.

Hi Le 17/04/2020 ? 05:52, Damien Miller a ?crit?: > On Wed, 15 Apr 2020, Lo?c wrote: > >> Hello, >> >> In one recent change >> (https://anongit.mindrot.org/openssh.git/commit/?id=2b13d3934d5803703c04803ca3a93078ecb5b715), >> I noticed a regression. >> >> If ssh-keygen is given a private file without passphrase and without the >> corresponding

https://bugzilla.mindrot.org/show_bug.cgi?id=3147 Bug ID: 3147 Summary: Confusing error message when the public key is missing. Product: Portable OpenSSH Version: -current Hardware: All OS: OpenBSD Status: NEW Severity: trivial Priority: P5 Component: ssh

...Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: 4.l.e.x.1.1.s+mindrotopenbsd at gmail.com Hello, As you probably know, the comment header: - is not exported when "ssh-keygen -e" is used to export a public key into an PEM|PKCS8|RFC4716 file format (a new key comment is created) - is not handled when "ssh-keygen -i" is imported from PEM|PKCS8|RFC4716 file to Openssh internal format (the key comment field is missing). Thus, it should be interesting that "ssh-keygen -e" exports the initial comment and &q...

...ST 2003 ===> secure/usr.bin/openssl rm -f buildinf.h openssl/opensslconf.h openssl/evp.h xopenssl app_rand.o apps.o asn1pars.o ca.o ciphers.o crl.o crl2p7.o dgst.o dh.o dhparam.o dsa.o dsaparam.o enc.o engine.o errstr.o gendh.o gendsa.o genrsa.o nseq.o ocsp.o openssl.o passwd.o pkcs12.o pkcs7.o pkcs8.o rand.o req.o rsa.o rsautl.o s_cb.o s_client.o s_server.o s_socket.o s_time.o sess_id.o smime.o speed.o spkac.o verify.o version.o x509.o CA.pl.1.gz asn1parse.1.gz ca.1.gz ciphers.1.gz crl.1.gz crl2pkcs7.1.gz dgst.1.gz dhparam.1.gz dsa.1.gz dsaparam.1.gz enc.1.gz gendsa.1.gz genrsa.1.gz nseq.1.gz...

Hi, I needed to convert a public RSA key to autorized_keys format and found ssh-keygen lacking this feature. I made the option -Q publicfile to allow an conversion like ssh-keygen -Q pubrsa.pem -y The patch is produced using unified diff and made on latest release. If you like it and can make a patch for the man-page also! Regards, /Lars -------------- next part -------------- diff -u

...Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: peter at lekensteyn.nl In older OpenSSH versions, the key derivation method was quite weak, but the encryption method could be changed (see https://security.stackexchange.com/a/39293). Basically: openssl pkcs8 -topk8 -in id_rsa -out keypk8.pem -v2 AES-128-CBC With the latest OpenSSH version, the key no longer functions. "ssh host" fails with "invalid format". Expected result (7.4p1): $ ssh-keygen -f keypk8.pem -y Enter passphrase: 1234 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDQ33ndDr5...

...1.cat.gz ===> secure/usr.bin/openssl rm -f buildinf.h openssl/opensslconf.h openssl/evp.h xopenssl app_rand.o apps.o asn1pars.o ca.o ciphers.o crl.o crl2p7.o dgst.o dh.o dhparam.o dsa.o dsaparam.o enc.o engine.o errstr.o gendh.o gendsa.o genrsa.o nseq.o ocsp.o openssl.o passwd.o pkcs12.o pkcs7.o pkcs8.o rand.o req.o rsa.o rsautl.o s_cb.o s_client.o s_server.o s_socket.o s_time.o sess_id.o smime.o speed.o spkac.o verify.o version.o x509.o CA.pl.1.gz asn1parse.1.gz ca.1.gz ciphers.1.gz crl.1.gz crl2pkcs7.1.gz dgst.1.gz dhparam.1.gz dsa.1.gz dsaparam.1.gz enc.1.gz gendsa.1.gz genrsa.1.gz nseq.1.gz...

...en(1): print key comment when extracting public key from a private key. bz#3052 * ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too. bz#3003 * All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's. Bugfixes...

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may

...gen(1): print key comment when extracting publc key from a private key. bz#3052 * ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too. bz#3003 * All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's. Bugfixe...

...received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add &qu...

...received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add &qu...

...ase, without a separator (serves as a salt)." 2. "Take the MD5 hash of the resulting string (once)." So my proposal is, to alter this by using PKCS 8 as defined in RFC 5208 as is described in the above article. This currently works already by converting your key manually: openssl pkcs8 -topk8 -v2 des3 \ -in test_rsa_key.old -passin 'pass:super secret passphrase' \ -out test_rsa_key -passout 'pass:super secret passphrase' I didn't find any contradicting documentation or stuff inside the SSH RFCs why this is not the default yet. I know this is just a l...