tinc - Mar 2010 - Check public/private RSA keypairs

Hi together,
i have a tinc vpn running on several local networks as well as on
clients and am writing on a little "zeroconfig" tool to add new
(newbie)
clients to the net without having to vnc to them for ages.
To do this easier, i wanted to have a possibility to check somehow if
the public key stored on the server mathes the provate key on the
client, or if it needs to be regenerated.
Now i figured i can output the public key to a private one by using
openssl rsa -in rsa_key.priv -pubout
this one will print out a public key in the same format as the public
key stored in the hosts file, i tested it with some clients, and every
private key will generate a pubkey different to the one in the hostfile,
but each of these clients do work in my vpn, so the public/private
keypairs must match.
A second command i found by googling
ssh-keygen -y -f rsa_key.priv
will output something that ist totally different to the original.

openssl rsa -in rsa_key.priv -pubout:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0P8+wFjp+VT/TsDaiDRsTBnpS
Qdkd6OvEnyMJtCux1bKed9oqPMxJdny0oqY4TEdaHoc4muFJd9uag1v2BWNJRSTX
r+/BpX2RbVhccG9wFanDBzDw+txe/dXko+4YqmRM1o1Ezlb1/s+pofT3M2GosbBV
5BptKHVQY9eUYKULnQIDAQAB
-----END PUBLIC KEY-----

ssh-keygen -y -f rsa_key.priv:
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQC0P8+wFjp+VT/TsDaiDRsTBnpSQdkd6OvEnyMJtCux
1bKed9oqPMxJdny0oqY4TEdaHoc4muFJd9uag1v2BWNJRSTXr+/BpX2RbVhccG9wFanDBzDw+txe/dXk
o+4YqmRM1o1Ezlb1/s+pofT3M2GosbBV5BptKHVQY9eUYKULnQ=
original tinc-hostfile:
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBALQ/z7AWOn5VP9OwNqINGxMGelJB2R3o68SfIwm0K7HVsp532io8zEl2
fLSipjhMR1oehzia4Ul325qDW/YFY0lFJNev78GlfZFtWFxwb3AVqcMHMPD63F79
1eSj7hiqZEzWjUTOVvX+z6mh9PczYaixsFXkGm0odVBj15RgpQudAgMBAAE-----END RSA PUBLIC
KEY-----

what commands tell me whether my keys match without having to start tinc
and try connecting?

sincerely,
nixnick

On Wed, Mar 17, 2010 at 02:38:37PM +0100, Claus Strasburger wrote:
> i have a tinc vpn running on several local networks as well as on
> clients and am writing on a little "zeroconfig" tool to add new
(newbie)
> clients to the net without having to vnc to them for ages.
> To do this easier, i wanted to have a possibility to check somehow if
> the public key stored on the server mathes the provate key on the
> client, or if it needs to be regenerated.
Why not check the public key stored on the server against the public key on the
client?
> Now i figured i can output the public key to a private one by using
> openssl rsa -in rsa_key.priv -pubout
> this one will print out a public key in the same format as the public
> key stored in the hosts file, i tested it with some clients, and every
> private key will generate a pubkey different to the one in the hostfile,
> but each of these clients do work in my vpn, so the public/private
> keypairs must match.
> A second command i found by googling
> ssh-keygen -y -f rsa_key.priv
> will output something that ist totally different to the original.
The problem is that the OpenSSL library has two ways to store a public key. You
can see the difference in the header already, tinc's host config files will
contain "BEGIN RSA PUBLIC KEY", while the openssl tool will output
something
that contains "BEGIN PUBLIC KEY" (note the missing "RSA").
Also, these blobs
not only contain the public key, they contain additional information, some of
which is not used. SSH uses yet another format. So, they all contain the same
public key, but the representations are different.

Actually, tinc will also happily use RSA keys generated in the format used by
the openssl tool. So instead of using tincd -K you can use openssl genrsa to
create an rsa_key.priv file, and openssl rsa to convert it to a public key for
in the host config file.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20100317/0ea731ab/attachment.pgp>