[Bug 2901] New: ssh-keygen generates an invalid key sometimes

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Aug 27 05:40:47 AEST 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2901

            Bug ID: 2901
           Summary: ssh-keygen generates an invalid key sometimes
           Product: Portable OpenSSH
           Version: 7.7p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: whissi at gentoo.org

Created attachment 3173
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3173&action=edit
test script to generate keys

We received the following bug report: https://bugs.gentoo.org/664384

Summary:
It looks like that `ssh-keygen -t ecdsa -b 521 -f testkey` sometimes
generates an invalid key. I.e. when when you try to change passphrase
of that newly generate key, `ssh-keygen -y -f testkey` will fail with

> Load key "testkey": invalid format

Please see the attached test script (it usually takes between 5-600
attempts).

In addition to Gentoo, I was able to reproduce the same problem on
Debian Stretch using openssh-portable 7.7p1 vanilla sources (I used
https://sourceforge.net/projects/hpnssh/files/OpenSSL-1.1%20Compatibility/
to be able to compile against Debian's OpenSSL 1.1.x version but this
shouldn't matter).

I tested against 7.8p1 and was so far unable to reproduce. According to
bisect, the error disappears with the switch to the "new" private key
format, i.e. commit

> commit ed7bd5d93fe14c7bd90febd29b858ea985d14d45
> Author: djm at openbsd.org <djm at openbsd.org>
> Date:   Wed Aug 8 01:16:01 2018 +0000
> 
>     upstream: Use new private key format by default. This format is
> 
>     suported by OpenSSH >= 6.5 (released January 2014), so it should be supported
>     by most OpenSSH versions in active use.
> 
>     It is possible to convert new-format private keys to the older
>     format using "ssh-keygen -f /path/key -pm PEM".
> 

But I guess the error is still present. I am just unable to change test
script to produce keys in old format.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list