[Bug 3023] New: ssh-keygen no longer writes PKCS#1 PEM format

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Jun 26 06:01:12 AEST 2019 

https://bugzilla.mindrot.org/show_bug.cgi?id=3023

            Bug ID: 3023
           Summary: ssh-keygen no longer writes PKCS#1 PEM format
           Product: Portable OpenSSH
           Version: 8.0p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: s.e.adams at gmail.com

After upgrading OpenSSH 7.9 to 8.0 (while upgrading from Fedora 29 to
30), ssh-keygen can no longer generate PKCS#1 formatted private keys. 
I'm specifying "-m PEM" to generate keys in the legacy PEM private key
format, but the output format has changed between the releases.

Is it possible to still generate PKCS#1 formatted keys with OpenSSH
8.0?  I'm processing these keys with dropbearconvert, which doesn't
support the PKCS#8 format.


Example outputs:


## Fedora 29 / OpenSSH 7.9

$ rpm -qa | grep openssh
openssh-clients-7.9p1-6.fc29.x86_64
openssh-server-7.9p1-6.fc29.x86_64
openssh-7.9p1-6.fc29.x86_64

$ ssh-keygen -t rsa -b 2048 -m PEM -f ~/id_pem -N ""
Generating public/private rsa key pair.
Your identification has been saved in /home/foo/id_pem.
Your public key has been saved in /home/foo/id_pem.pub.
The key fingerprint is:
SHA256:SPvtI5cPgKCjrH+wsgYy076vE1NTjcfc9Mc6cdbHG9I foo at localhost
The key's randomart image is:
+---[RSA 2048]----+
|       = o.      |
|      o = .. ..o |
|    ....    o.=E+|
|   .oo +     *. +|
| .o. .+ S   o  . |
|*.=.   . o   .   |
|+= =    . o.     |
|o.+ .   ..+.     |
|+++*.    o.o.    |
+----[SHA256]-----+

$ head id_pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwkG0o3kuCd7dxQa7cJPWSqZO6eADPgivWJ7aE6vbj7diXoSX
UF40roLIgt8lcKVvGaWdrD3YUQLVUMPlKpiyICCVLwLDapP/Qm8v4GoxClVUgjg6
DddQYI8GQImpLCLy3Rg+9EK+ubBkIBngiVMu8y3Q6ZAulTcQthONjyndRZbSxHR2


----------


## Fedora 30 / OpenSSH 8.0

$ rpm -qa | grep openssh
openssh-8.0p1-4.fc30.x86_64
openssh-server-8.0p1-4.fc30.x86_64
openssh-clients-8.0p1-4.fc30.x86_64

$ ssh-keygen -t rsa -b 2048 -m PEM -f ~/id_pem -N ""
Generating public/private rsa key pair.
Your identification has been saved in /home/foo/id_pem.
Your public key has been saved in /home/foo/id_pem.pub.
The key fingerprint is:
SHA256:sthFFnvZu0BUN5Evd2UUbme/S7wNiHlAaj6i+Q6dL0o foo at localhost
The key's randomart image is:
+---[RSA 2048]----+
|        . ... +=o|
|         + o .o.o|
|        + = .  =+|
|       o =   .o.*|
|      . S o .  oo|
|     + B   = o. .|
|    E * o o + .+ |
|   . +.o . .  ..+|
|    ++o..      o.|
+----[SHA256]-----+

$ head id_pem
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCpoPt4v6ESanwB
BZ0Q2k/KQaXBcm5tVYDZPT7jWFlei9x0bfP7MltXy4DyH75T5TwPNocLk9ehWKnA
l+vFetu/P9BtGuLyDhb0oGym91NjQbfquDzl+9n/lHJQgFQYZbimXyTJgcqZwOl7

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list