Displaying 20 results from an estimated 36 matches for "pkcs8".
Did you mean:
pkcs7
2016 May 05
0
[Bug 2567] New: Wrong terminology used for ssh-keygen "-m" option
...l
Status: NEW
Severity: normal
Priority: P5
Component: Documentation
Assignee: unassigned-bugs at mindrot.org
Reporter: kazakevichilya at gmail.com
According to "man ssh-config", "-m" support following formats: "?PKCS8?
(PEM PKCS8 public key)" and "?PEM? (PEM public key)".
This is not true. First of all they are both PEM (Base64 encoded DER).
And PKCS8 is for *private* keys only. What you call "PKCS8" is
"SubjectPublicKeyInfo" and it is encoded in PEM.
What you call "PEM&...
2024 Aug 26
1
[Bug 3724] New: Unable to convert from OpenSSH to PKCS8 or PEM
https://bugzilla.mindrot.org/show_bug.cgi?id=3724
Bug ID: 3724
Summary: Unable to convert from OpenSSH to PKCS8 or PEM
Product: Portable OpenSSH
Version: 9.8p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: M...
2020 Apr 25
2
[PATCH 1/3] Add private key protection information extraction to ssh-keygen
...this, but it is the
most logical thing to do for me.
Adding this to -l option is not appropriate because fingerprinting is
using the .pub file when available.
An other idea is to add a new option, I can do it if you prefer.
Also, I'm laking information for information extraction from PEM and
PKCS8 file format, I'm OK to have a pointer to implement this correctly.
This patch is also adding a regression test for the functionnality.
---
?authfile.c??????????????????????????? |? 16 ++--
?authfile.h??????????????????????????? |?? 7 +-
?regress/Makefile????????????????????? |?? 3 +-
?regres...
2012 Jul 28
1
[PATCH] ssh-keygen: support public key import/export using SubjectPublicKeyInfo
...++++++++++++++++++++++++++++++++++++++++-
2 files changed, 69 insertions(+), 3 deletions(-)
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 41da207..88451ac 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -334,9 +334,11 @@ The supported key formats are:
(RFC 4716/SSH2 public or private key),
.Dq PKCS8
(PEM PKCS8 public key)
-or
.Dq PEM
-(PEM public key).
+(PEM public key)
+or
+.Dq SUBJECTINFO
+(SubjectPublicKeyInfo public key).
The default conversion format is
.Dq RFC4716 .
.It Fl N Ar new_passphrase
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 5fcd3a1..072c49a 100644
--- a/ssh-keygen.c
+...
2013 Nov 11
0
ssh-keygen :: PEM_write_RSA_PUBKEY failed
I am trying to understand a change to ssh-keygen that is included with OS X
Mavericks, 6.2p2 that prevents the option, -m PKCS8, from working.
Previous to Mavericks I had 5.9p1 and didn''t have this problem.
This used to work previously-
ssh-keygen -e -m PKCS8 -f $my_rsa_public_key
Now it outputs-
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
PEM_write_RSA_PUBKEY failed
I think this is the change, line 296...
2020 Jul 18
10
[Bug 3195] New: ssh-keygen unable to convert ED25519 public keys
...at gmail.com
I generate a ED25519 key using OpenSSL:
openssl genpkey -algorithm ED25519 -out key_ed25519.pem
After that I extracted the public key:
openssl pkey -in key_ed25519.pem -pubout -out public_ed25519.pem
And then I try to get the SSH public key to put on authorized_keys:
ssh-keygen -i -m PKCS8 -f public_ed25519.pem
The error was:
do_convert_from_pkcs8: unsupported pubkey type 1087
So I think ssh-keygen can't convert a ED25519 public key. The expected
result was something like:
ssh-ed25519 AAAA...
I found a tool called sshpk (https://www.npmjs.com/package/sshpk) which
converts correct...
2013 May 23
1
Time for key stretching in encrypted private keys?
...feasible and means you need a much
longer password to mitigate them. Seems like it might be useful if OpenSSH
at least had the option of using an encoding with some decent key
stretching to me. Is there any good reason not to, and to not have it as
the default?
OpenSSH seems quite happy to accept PKCS8 keys with PBKDF2 currently, it
just doesn't generate them. You just need to do it yourself e.g.
http://martin.kleppmann.com/ssh-keys.html The keys generated in that
article are also 3DES unfortunately but that's only because it's the
default cipher here.
2020 Apr 17
2
[PATCH] regression of comment extraction in private key file without passphrase
Hi
Le 17/04/2020 ? 05:52, Damien Miller a ?crit?:
> On Wed, 15 Apr 2020, Lo?c wrote:
>
>> Hello,
>>
>> In one recent change
>> (https://anongit.mindrot.org/openssh.git/commit/?id=2b13d3934d5803703c04803ca3a93078ecb5b715),
>> I noticed a regression.
>>
>> If ssh-keygen is given a private file without passphrase and without the
>> corresponding
2020 Apr 09
5
[Bug 3147] New: Confusing error message when the public key is missing.
https://bugzilla.mindrot.org/show_bug.cgi?id=3147
Bug ID: 3147
Summary: Confusing error message when the public key is
missing.
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: OpenBSD
Status: NEW
Severity: trivial
Priority: P5
Component: ssh
2013 Dec 09
1
[Bug 2180] New: Improve the handling of the key comment field
...Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: 4.l.e.x.1.1.s+mindrotopenbsd at gmail.com
Hello,
As you probably know, the comment header:
- is not exported when "ssh-keygen -e" is used to export a public key
into an PEM|PKCS8|RFC4716 file format (a new key comment is created)
- is not handled when "ssh-keygen -i" is imported from
PEM|PKCS8|RFC4716 file to Openssh internal format (the key comment
field is missing).
Thus, it should be interesting that "ssh-keygen -e" exports the initial
comment and &q...
2003 May 23
1
error with make clean in /usr/src
...ST 2003
===> secure/usr.bin/openssl
rm -f buildinf.h openssl/opensslconf.h openssl/evp.h xopenssl app_rand.o
apps.o asn1pars.o ca.o ciphers.o crl.o crl2p7.o dgst.o dh.o dhparam.o dsa.o
dsaparam.o enc.o engine.o errstr.o gendh.o gendsa.o genrsa.o nseq.o ocsp.o
openssl.o passwd.o pkcs12.o pkcs7.o pkcs8.o rand.o req.o rsa.o rsautl.o
s_cb.o s_client.o s_server.o s_socket.o s_time.o sess_id.o smime.o speed.o
spkac.o verify.o version.o x509.o CA.pl.1.gz asn1parse.1.gz ca.1.gz
ciphers.1.gz crl.1.gz crl2pkcs7.1.gz dgst.1.gz dhparam.1.gz dsa.1.gz
dsaparam.1.gz enc.1.gz gendsa.1.gz genrsa.1.gz nseq.1.gz...
2012 Sep 09
2
Patch for ssh-keygen to allow conversion of public key to openssh format
Hi,
I needed to convert a public RSA key to autorized_keys format and found
ssh-keygen lacking this feature.
I made the option -Q publicfile to allow an conversion like
ssh-keygen -Q pubrsa.pem -y
The patch is produced using unified diff and made on latest release.
If you like it and can make a patch for the man-page also!
Regards,
/Lars
-------------- next part --------------
diff -u
2017 Mar 25
7
[Bug 2699] New: PKCS#8 private keys with AES-128-CBC stopped working
...Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: peter at lekensteyn.nl
In older OpenSSH versions, the key derivation method was quite weak,
but the encryption method could be changed (see
https://security.stackexchange.com/a/39293). Basically:
openssl pkcs8 -topk8 -in id_rsa -out keypk8.pem -v2 AES-128-CBC
With the latest OpenSSH version, the key no longer functions. "ssh
host" fails with "invalid format".
Expected result (7.4p1):
$ ssh-keygen -f keypk8.pem -y
Enter passphrase: 1234
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDQ33ndDr5...
2003 Jun 13
1
Strange problem with "make clean"
...1.cat.gz
===> secure/usr.bin/openssl
rm -f buildinf.h openssl/opensslconf.h openssl/evp.h xopenssl
app_rand.o apps.o asn1pars.o ca.o ciphers.o crl.o crl2p7.o dgst.o dh.o
dhparam.o dsa.o dsaparam.o enc.o engine.o errstr.o gendh.o gendsa.o
genrsa.o nseq.o ocsp.o openssl.o passwd.o pkcs12.o pkcs7.o pkcs8.o
rand.o req.o rsa.o rsautl.o s_cb.o s_client.o s_server.o s_socket.o
s_time.o sess_id.o smime.o speed.o spkac.o verify.o version.o x509.o
CA.pl.1.gz asn1parse.1.gz ca.1.gz ciphers.1.gz crl.1.gz crl2pkcs7.1.gz
dgst.1.gz dhparam.1.gz dsa.1.gz dsaparam.1.gz enc.1.gz gendsa.1.gz
genrsa.1.gz nseq.1.gz...
2019 Oct 09
0
Announce: OpenSSH 8.1 released
...en(1): print key comment when extracting public key from a
private key. bz#3052
* ssh-keygen(1): accept the verbose flag when searching for host keys
in known hosts (i.e. "ssh-keygen -vF host") to print the matching
host's random-art signature too. bz#3003
* All: support PKCS8 as an optional format for storage of private
keys to disk. The OpenSSH native key format remains the default,
but PKCS8 is a superior format to PEM if interoperability with
non-OpenSSH software is required, as it may use a less insecure
key derivation function than PEM's.
Bugfixes...
2020 Jun 09
3
[PATCH v2 0/2] Add openssl engine keys with provider upgrade path
I've architected this in a way that looks future proof at least to the
openssl provider transition. What will happen in openssl 3.0.0 is
that providers become active and will accept keys via URI. The
current file mechanisms will still be available but internally it will
become a file URI. To support the provider interface, openssl will
have to accept keys by URI instead of file and may
2019 Oct 01
9
Call for testing: OpenSSH 8.1
...gen(1): print key comment when extracting publc key from a
private key. bz#3052
* ssh-keygen(1): accept the verbose flag when searching for host keys
in known hosts (i.e. "ssh-keygen -vF host") to print the matching
host's random-art signature too. bz#3003
* All: support PKCS8 as an optional format for storage of private
keys to disk. The OpenSSH native key format remains the default,
but PKCS8 is a superior format to PEM if interoperability with
non-OpenSSH software is required, as it may use a less insecure
key derivation function than PEM's.
Bugfixe...
2012 Aug 29
0
Announce: OpenSSH 6.1 released
...received via
LocalAddress and LocalPort clauses.
* sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv
and {Allow,Deny}{Users,Groups}
* Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978
* ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8
* sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as
an argument to refuse all port-forwarding requests.
* sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile
* ssh-keyscan(1): Look for ECDSA keys by default. bz#1971
* sshd(8): Add &qu...
2012 Aug 29
0
Announce: OpenSSH 6.1 released
...received via
LocalAddress and LocalPort clauses.
* sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv
and {Allow,Deny}{Users,Groups}
* Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978
* ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8
* sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as
an argument to refuse all port-forwarding requests.
* sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile
* ssh-keyscan(1): Look for ECDSA keys by default. bz#1971
* sshd(8): Add &qu...
2014 Jul 25
1
improving passphrase protected private keys
...ase, without a separator
(serves as a salt)."
2. "Take the MD5 hash of the resulting string (once)."
So my proposal is, to alter this
by using PKCS 8 as defined in RFC 5208
as is described in the above article.
This currently works already by converting
your key manually:
openssl pkcs8 -topk8 -v2 des3 \
-in test_rsa_key.old -passin 'pass:super secret passphrase' \
-out test_rsa_key -passout 'pass:super secret passphrase'
I didn't find any contradicting documentation
or stuff inside the SSH RFCs why this is not the default
yet.
I know this is just a l...