OpenSSH private key encryption: time for AES?

Jim Knoble jmknoble at pobox.com
Wed Jan 21 12:42:38 EST 2009 

Circa 2009-01-20 02:30 dixit Damien Miller:

: On Tue, 20 Jan 2009, Jim Knoble wrote:
: 
: > [...]how can i encrypt my 4096-bit SSH RSA keypair with
: > something like AES-128, AES-256, or Twofish instead of 3DES and still
: > use it with OpenSSH?  Can ssh-add read (unencrypted) key data from stdin?

Experimentation has shown that the following will add a key to a running
ssh-agent (OpenSSH_4.6p1, Ubuntu 7.10):

    $ cat id_rsa-unencrypted |ssh-add /dev/stdin
    $ ssh-add -l |fgrep /dev/stdin
    2048 xx:xx:xx:...:xx:xx:xx /dev/stdin (RSA)
    $ 

However, the following will not remove the key from the agent:

    $ cat id_rsa-unencrypted |ssh-add -d /dev/stdin
    Bad key file /dev/stdin
    $ 

If both operations worked, then one could use an external
encryption/decryption facility with one's private keys, e.g.:

    openssl enc -d -in ~/.ssh/id_rsa -aes-256-cbc |ssh-add /dev/stdin

(although it would take a passphrase to remove a key from ssh-agent).

: If you want to change it then you can do something like [a one-liner
: change to authfile.c]. It probably wouldn't hurt to change - new
: installations will still be able to read old keys

It would be nice for newer OpenSSH to be able to produce private keys
usable by older OpenSSH as well.

Any chance of an option in ssh-keygen to specify the cipher?  E.g.:

    # Use '-E' with any of: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc
    ssh-keygen -t rsa -E aes256-cbc

Alternatively:

    # Encrypt with AES-256:
    ssh-keygen -t rsa -A

    # Encrypt with 3DES:
    ssh-keygen -t rsa -3

    # Use default encryption:
    ssh-keygen -t rsa

Finally:

    # Encrypt with AES-256:
    ssh-keygen -t rsa

    # Encrypt with 3DES ('-O' for "old"):
    ssh-keygen -t rsa -O:1

Cheers,
jim

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG key ID: C6F31FFA  >>>>>>  http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
+----------------------------------------------------------------------+
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing.  --Aldous Huxley|
+----------------------------------------------------------------------+

More information about the openssh-unix-dev mailing list