[Bug 1550] Move from 3DES to AES-256 for private key encryption
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Jan 23 07:52:36 EST 2009
https://bugzilla.mindrot.org/show_bug.cgi?id=1550
--- Comment #1 from Jim Knoble <jmknoble at pobox.com> 2009-01-23 07:52:35 ---
Date: Tue, 20 Jan 2009 20:42:38 -0500
From: Jim Knoble <jmknoble at pobox.com>
To: OpenSSH Devel <openssh-unix-dev at mindrot.org>
Subject: Re: OpenSSH private key encryption: time for AES?
Message-ID: <20090121014237.GD29074 at crawfish.ais.com>
Mail-Followup-To: OpenSSH Devel <openssh-unix-dev at mindrot.org>
References: <20090120060635.GA29074 at crawfish.ais.com>
<alpine.BSO.1.10.0901201822540.5492 at fuyu.mindrot.org>
In-Reply-To: <alpine.BSO.1.10.0901201822540.5492 at fuyu.mindrot.org>
Circa 2009-01-20 02:30 dixit Damien Miller:
: On Tue, 20 Jan 2009, Jim Knoble wrote:
:
: > [...]how can i encrypt my 4096-bit SSH RSA keypair with
: > something like AES-128, AES-256, or Twofish instead of 3DES and
still
: > use it with OpenSSH? Can ssh-add read (unencrypted) key data from
stdin?
Experimentation has shown that the following will add a key to a
running
ssh-agent (OpenSSH_4.6p1, Ubuntu 7.10):
$ cat id_rsa-unencrypted |ssh-add /dev/stdin
$ ssh-add -l |fgrep /dev/stdin
2048 xx:xx:xx:...:xx:xx:xx /dev/stdin (RSA)
$
However, the following will not remove the key from the agent:
$ cat id_rsa-unencrypted |ssh-add -d /dev/stdin
Bad key file /dev/stdin
$
If both operations worked, then one could use an external
encryption/decryption facility with one's private keys, e.g.:
openssl enc -d -in ~/.ssh/id_rsa -aes-256-cbc |ssh-add /dev/stdin
(although it would take a passphrase to remove a key from ssh-agent).
: If you want to change it then you can do something like [a one-liner
: change to authfile.c]. It probably wouldn't hurt to change - new
: installations will still be able to read old keys
It would be nice for newer OpenSSH to be able to produce private keys
usable by older OpenSSH as well.
Any chance of an option in ssh-keygen to specify the cipher? E.g.:
# Use '-E' with any of: 3des-cbc, aes128-cbc, aes192-cbc,
aes256-cbc
ssh-keygen -t rsa -E aes256-cbc
Alternatively:
# Encrypt with AES-256:
ssh-keygen -t rsa -A
# Encrypt with 3DES:
ssh-keygen -t rsa -3
# Use default encryption:
ssh-keygen -t rsa
Finally:
# Encrypt with AES-256:
ssh-keygen -t rsa
# Encrypt with 3DES ('-O' for "old"):
ssh-keygen -t rsa -O:1
Cheers,
jim
--
jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list