Fwd: Re: OpenSSH private key format errors with LibreSSL 2.7
Bernard Spil
brnrd at freebsd.org
Sat Apr 7 05:59:51 AEST 2018
-------- Original Message --------
Subject: Re: OpenSSH private key format errors with LibreSSL 2.7
Date: 2018-04-06 21:52
From: Bernard Spil <brnrd at freebsd.org>
To: libressl at openbsd.org, openssh-unix-dev at mindrot.org
Cc: Kris Moore <kris at ixsystems.com>
On 2018-04-06 21:42, Bernard Spil wrote:
> On 2018-04-06 21:31, Bernard Spil wrote:
>> Hi,
>>
>> When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA and
>> ECDSA private keys.
>>
>> Error loading key "./id_rsa": invalid format
>>
>> Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed
>> this issue early on with LibreSSL 2.7 by converting the key to "new
>> file format" (to verify the ecdsa key wasn't corrupted I loaded it in
>>
>> Fail:
>> -----BEGIN EC PRIVATE KEY-----
>> Proc-Type: 4,ENCRYPTED
>> DEK-Info: AES-128-CBC,<snip>
>>
>> -----BEGIN RSA PRIVATE KEY-----
>> Proc-Type: 4,ENCRYPTED
>> DEK-Info: AES-128-CBC,<snip>
>>
>> Success (both keys after converting):
>> -----BEGIN OPENSSH PRIVATE KEY-----
>>
>> I've been digging through ssh-keygen to find a way to convert them but
>> have yet to find the right knobs. -e only exports public keys.
>>
>> Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2.
>>
>> Any hints?
>>
>> Thanks, Bernard.
>
> Meanwhile, figured out that I can fix this with
>
> ssh-keygen -po -f keyfile
>
> before upgrading to LibreSSL 2.7.
>
> The -o option does not show in the ssh-keygen(1) synopsis.
>
> Cheers, Bernard.
Output from make tests (make test from FreeBSD 7.7p0 port)
Attachment got scrubbed...
Script started on Fri Apr 6 21:47:33 2018
Agent pid 49969
[m[23m[24m[J[brnrd at build openssh-portable]$ [K[?2004hmmake -dl
test[?2004l
cd /usr/ports/security/openssh-portable && make
CONFIG_DONE_OPENSSH-PORTABLE=1
/usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local
if [ ! -e
/usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local
]; then cd /usr/ports/security/openssh-portable && make
/usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local;
fi
cd /usr/ports/security/openssh-portable/work/openssh-7.7p1 &&
/usr/bin/env -i OBJ=/usr/ports/security/openssh-portable/work
OPENSSLBASE=/usr OPENSSLDIR=/etc/ssl OPENSSLINC=/usr/include
OPENSSLLIB=/usr/lib
XDG_DATA_HOME=/usr/ports/security/openssh-portable/work
XDG_CONFIG_HOME=/usr/ports/security/openssh-portable/work
HOME=/usr/ports/security/openssh-portable/work
PATH=/usr/ports/security/openssh-portable/work/.bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/brnrd/bin
NO_PIE=yes MK_DEBUG_FILES=no MK_KERNEL_SYMBOLS=no SHELL=/bin/sh
NO_LINT=YES PREFIX=/usr/local LOCALBASE=/usr/local LIBDIR="/usr/lib"
CC="cc" CFLAGS="-O2 -fno-strict-aliasing -pipe -march=native
-fstack-protector -isystem /usr/local/include" CPP="cpp"
CPPFLAGS="-isystem /usr/local/include" LDFLAGS=" -fstack-protector"
LIBS="-L/usr/local/lib" CXX="c++" CXXFLAGS="-O2 -fno-strict-aliasing
-pipe -march=native -fstack-protector -isystem /usr/local/include
-isystem /usr/local/include" MANPREFIX="/usr/local"
BSD_INSTALL_PROGRAM="install -s -m 555" BSD_INSTALL_LIB="install -s
-m 0644" BSD_INSTALL_SCRIPT="install -m 555"
BSD_INSTALL_DATA="install -m 0644" BSD_INSTALL_MAN="install -m 444"
TEST_SHELL=/bin/sh SUDO="" LOGNAME="brnrd" TEST_SSH_TRACE=yes
PATH=/usr/ports/security/openssh-portable/work/openssh-7.7p1:/usr/local/bin:/usr/local/sbin:/usr/ports/security/openssh-portable/work/.bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/brnrd/bin
/usr/bin/make -f Makefile
DESTDIR=/usr/ports/security/openssh-portable/work/stage tests
/bin/mkdir -p `pwd`/regress/unittests/test_helper
/bin/mkdir -p `pwd`/regress/unittests/sshbuf
/bin/mkdir -p `pwd`/regress/unittests/sshkey
/bin/mkdir -p `pwd`/regress/unittests/bitmap
/bin/mkdir -p `pwd`/regress/unittests/conversion
/bin/mkdir -p `pwd`/regress/unittests/hostkeys
/bin/mkdir -p `pwd`/regress/unittests/kex
/bin/mkdir -p `pwd`/regress/unittests/match
/bin/mkdir -p `pwd`/regress/unittests/utf8
/bin/mkdir -p `pwd`/regress/misc/kexfuzz
[ -f `pwd`/regress/Makefile ] || ln -s `cd . && pwd`/regress/Makefile
`pwd`/regress/Makefile
(cd openbsd-compat && /usr/bin/make)
BUILDDIR=`pwd`; TEST_SSH_SCP="${BUILDDIR}/scp";
TEST_SSH_SSH="${BUILDDIR}/ssh"; TEST_SSH_SSHD="${BUILDDIR}/sshd";
TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent";
TEST_SSH_SSHADD="${BUILDDIR}/ssh-add";
TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen";
TEST_SSH_SSHPKCS11HELPER="${BUILDDIR}/ssh-pkcs11-helper";
TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan";
TEST_SSH_SFTP="${BUILDDIR}/sftp";
TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"; TEST_SSH_PLINK="plink";
TEST_SSH_PUTTYGEN="puttygen"; TEST_SSH_CONCH="conch";
TEST_SSH_IPV6="yes" ; TEST_SSH_UTF8="yes" ; TEST_SSH_ECC="yes" ; cd
./regress || exit $?; /usr/bin/make .OBJDIR="${BUILDDIR}/regress"
.CURDIR="`pwd`" BUILDDIR="${BUILDDIR}"
OBJ=""/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress""
PATH="${BUILDDIR}:${PATH}" TEST_ENV=MALLOC_OPTIONS="AJRX"
TEST_MALLOC_OPTIONS="AJRX" TEST_SSH_SCP="${TEST_SSH_SCP}"
TEST_SSH_SSH="${TEST_SSH_SSH}" TEST_SSH_SSHD="${TEST_SSH_SSHD}"
TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}"
TEST_SSH_SSHADD="${TEST_SSH_SSHADD}"
TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}"
TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}"
TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}"
TEST_SSH_SFTP="${TEST_SSH_SFTP}"
TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}"
TEST_SSH_PLINK="${TEST_SSH_PLINK}"
TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}"
TEST_SSH_CONCH="${TEST_SSH_CONCH}" TEST_SSH_IPV6="${TEST_SSH_IPV6}"
TEST_SSH_UTF8="${TEST_SSH_UTF8}" TEST_SSH_ECC="${TEST_SSH_ECC}"
TEST_SHELL="sh" EXEEXT="" tests && echo all tests passed
test "x" = "x" || mkdir -p
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/valgrind-out
set -e ; if test -z "" ; then V="" ; test "x" = "x" ||
V=/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/valgrind-unit.sh
; $V
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshbuf/test_sshbuf
; $V
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshkey/test_sshkey
-d
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshkey/testdata
; $V
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/bitmap/test_bitmap
; $V
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/conversion/test_conversion
; $V
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/kex/test_kex
; $V
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/hostkeys/test_hostkeys
-d
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/hostkeys/testdata
; $V
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/match/test_match
; if test "xyes" = "xyes" ; then $V
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/utf8/test_utf8
; fi fi
test_sshbuf:
....................................................................................................
101 tests ok
test_sshkey: ....................................
regress/unittests/sshkey/test_file.c:74 test #37 "parse RSA from private
w/ passphrase"
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, (const char
*)sshbuf_ptr(pw), &k2, NULL), 0) failed:
sshkey_parse_private_fileblob(buf, (const char *)sshbuf_ptr(pw), &k2,
NULL) = -4
0 = 0
Abort trap (core dumped)
*** Error code 134
Stop.
make[1]: stopped in
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress
*** Error code 1
Stop.
make: stopped in /usr/ports/security/openssh-portable/work/openssh-7.7p1
*** Error code 1
Stop.
make: stopped in /usr/ports/security/openssh-portable
[m[23m[24m[J[brnrd at build openssh-portable]$ [K[?2004h[?2004l
Script done on Fri Apr 6 21:50:47 2018
More information about the openssh-unix-dev
mailing list