OpenSSH private key format errors with LibreSSL 2.7

Bernard Spil brnrd at freebsd.org
Sat Apr 7 05:52:23 AEST 2018


On 2018-04-06 21:42, Bernard Spil wrote:
> On 2018-04-06 21:31, Bernard Spil wrote:
>> Hi,
>> 
>> When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA and
>> ECDSA private keys.
>> 
>>     Error loading key "./id_rsa": invalid format
>> 
>> Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed
>> this issue early on with LibreSSL 2.7 by converting the key to "new
>> file format" (to verify the ecdsa key wasn't corrupted I loaded it in
>> 
>> Fail:
>> -----BEGIN EC PRIVATE KEY-----
>> Proc-Type: 4,ENCRYPTED
>> DEK-Info: AES-128-CBC,<snip>
>> 
>> -----BEGIN RSA PRIVATE KEY-----
>> Proc-Type: 4,ENCRYPTED
>> DEK-Info: AES-128-CBC,<snip>
>> 
>> Success (both keys after converting):
>> -----BEGIN OPENSSH PRIVATE KEY-----
>> 
>> I've been digging through ssh-keygen to find a way to convert them but
>> have yet to find the right knobs. -e only exports public keys.
>> 
>> Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2.
>> 
>> Any hints?
>> 
>> Thanks, Bernard.
> 
> Meanwhile, figured out that I can fix this with
> 
>     ssh-keygen -po -f keyfile
> 
> before upgrading to LibreSSL 2.7.
> 
> The -o option does not show in the ssh-keygen(1) synopsis.
> 
> Cheers, Bernard.

Output from make tests (make test from FreeBSD 7.7p0 port)
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: make-test.out
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180406/b405a1e4/attachment.ksh>


More information about the openssh-unix-dev mailing list