Fwd: Re: OpenSSH private key format errors with LibreSSL 2.7

Bernard Spil brnrd at freebsd.org
Sat Apr 7 05:59:51 AEST 2018


-------- Original Message --------
Subject: Re: OpenSSH private key format errors with LibreSSL 2.7
Date: 2018-04-06 21:52
 From: Bernard Spil <brnrd at freebsd.org>
To: libressl at openbsd.org, openssh-unix-dev at mindrot.org
Cc: Kris Moore <kris at ixsystems.com>

On 2018-04-06 21:42, Bernard Spil wrote:
> On 2018-04-06 21:31, Bernard Spil wrote:
>> Hi,
>> 
>> When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA and
>> ECDSA private keys.
>> 
>>     Error loading key "./id_rsa": invalid format
>> 
>> Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed
>> this issue early on with LibreSSL 2.7 by converting the key to "new
>> file format" (to verify the ecdsa key wasn't corrupted I loaded it in
>> 
>> Fail:
>> -----BEGIN EC PRIVATE KEY-----
>> Proc-Type: 4,ENCRYPTED
>> DEK-Info: AES-128-CBC,<snip>
>> 
>> -----BEGIN RSA PRIVATE KEY-----
>> Proc-Type: 4,ENCRYPTED
>> DEK-Info: AES-128-CBC,<snip>
>> 
>> Success (both keys after converting):
>> -----BEGIN OPENSSH PRIVATE KEY-----
>> 
>> I've been digging through ssh-keygen to find a way to convert them but
>> have yet to find the right knobs. -e only exports public keys.
>> 
>> Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2.
>> 
>> Any hints?
>> 
>> Thanks, Bernard.
> 
> Meanwhile, figured out that I can fix this with
> 
>     ssh-keygen -po -f keyfile
> 
> before upgrading to LibreSSL 2.7.
> 
> The -o option does not show in the ssh-keygen(1) synopsis.
> 
> Cheers, Bernard.

Output from make tests (make test from FreeBSD 7.7p0 port)

Attachment got scrubbed...

Script started on Fri Apr  6 21:47:33 2018
Agent pid 49969

[brnrd at build openssh-portable]$ [?2004hmmake -dl 
test[?2004l

cd /usr/ports/security/openssh-portable && make 
CONFIG_DONE_OPENSSH-PORTABLE=1 
/usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local
if [ ! -e 
/usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local 
]; then  cd /usr/ports/security/openssh-portable && make 
/usr/ports/security/openssh-portable/work/.build_done.openssh._usr_local; 
  fi
cd /usr/ports/security/openssh-portable/work/openssh-7.7p1 && 
/usr/bin/env -i  OBJ=/usr/ports/security/openssh-portable/work 
OPENSSLBASE=/usr OPENSSLDIR=/etc/ssl OPENSSLINC=/usr/include 
OPENSSLLIB=/usr/lib 
XDG_DATA_HOME=/usr/ports/security/openssh-portable/work  
XDG_CONFIG_HOME=/usr/ports/security/openssh-portable/work  
HOME=/usr/ports/security/openssh-portable/work 
PATH=/usr/ports/security/openssh-portable/work/.bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/brnrd/bin 
NO_PIE=yes MK_DEBUG_FILES=no MK_KERNEL_SYMBOLS=no SHELL=/bin/sh 
NO_LINT=YES PREFIX=/usr/local  LOCALBASE=/usr/local  LIBDIR="/usr/lib"  
CC="cc" CFLAGS="-O2 -fno-strict-aliasing -pipe -march=native  
-fstack-protector -isystem /usr/local/include"  CPP="cpp" 
CPPFLAGS="-isystem /usr/local/include"  LDFLAGS="  -fstack-protector" 
LIBS="-L/usr/local/lib"  CXX="c++" CXXFLAGS="-O2 -fno-strict-aliasing 
-pipe -march=native -fstack-protector -isystem /usr/local/include  
-isystem /usr/local/include"  MANPREFIX="/usr/local" 
BSD_INSTALL_PROGRAM="install  -s -m 555"  BSD_INSTALL_LIB="install  -s 
-m 0644"  BSD_INSTALL_SCRIPT="install  -m 555"  
BSD_INSTALL_DATA="install  -m 0644"  BSD_INSTALL_MAN="install  -m 444"  
TEST_SHELL=/bin/sh  SUDO=""  LOGNAME="brnrd"  TEST_SSH_TRACE=yes  
PATH=/usr/ports/security/openssh-portable/work/openssh-7.7p1:/usr/local/bin:/usr/local/sbin:/usr/ports/security/openssh-portable/work/.bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/brnrd/bin 
  /usr/bin/make -f Makefile 
DESTDIR=/usr/ports/security/openssh-portable/work/stage tests
/bin/mkdir -p `pwd`/regress/unittests/test_helper
/bin/mkdir -p `pwd`/regress/unittests/sshbuf
/bin/mkdir -p `pwd`/regress/unittests/sshkey
/bin/mkdir -p `pwd`/regress/unittests/bitmap
/bin/mkdir -p `pwd`/regress/unittests/conversion
/bin/mkdir -p `pwd`/regress/unittests/hostkeys
/bin/mkdir -p `pwd`/regress/unittests/kex
/bin/mkdir -p `pwd`/regress/unittests/match
/bin/mkdir -p `pwd`/regress/unittests/utf8
/bin/mkdir -p `pwd`/regress/misc/kexfuzz
[ -f `pwd`/regress/Makefile ] ||  ln -s `cd . && pwd`/regress/Makefile 
`pwd`/regress/Makefile
(cd openbsd-compat && /usr/bin/make)
BUILDDIR=`pwd`;  TEST_SSH_SCP="${BUILDDIR}/scp";  
TEST_SSH_SSH="${BUILDDIR}/ssh";  TEST_SSH_SSHD="${BUILDDIR}/sshd";  
TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent";  
TEST_SSH_SSHADD="${BUILDDIR}/ssh-add";  
TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen";  
TEST_SSH_SSHPKCS11HELPER="${BUILDDIR}/ssh-pkcs11-helper";  
TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan";  
TEST_SSH_SFTP="${BUILDDIR}/sftp";  
TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server";  TEST_SSH_PLINK="plink";  
TEST_SSH_PUTTYGEN="puttygen";  TEST_SSH_CONCH="conch";  
TEST_SSH_IPV6="yes" ;  TEST_SSH_UTF8="yes" ;  TEST_SSH_ECC="yes" ;  cd 
./regress || exit $?;  /usr/bin/make  .OBJDIR="${BUILDDIR}/regress"  
.CURDIR="`pwd`"  BUILDDIR="${BUILDDIR}"  
OBJ=""/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress""  
PATH="${BUILDDIR}:${PATH}"  TEST_ENV=MALLOC_OPTIONS="AJRX"  
TEST_MALLOC_OPTIONS="AJRX"  TEST_SSH_SCP="${TEST_SSH_SCP}"  
TEST_SSH_SSH="${TEST_SSH_SSH}"  TEST_SSH_SSHD="${TEST_SSH_SSHD}"  
TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}"  
TEST_SSH_SSHADD="${TEST_SSH_SSHADD}"  
TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}"  
TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}"  
TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}"  
TEST_SSH_SFTP="${TEST_SSH_SFTP}"  
TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}"  
TEST_SSH_PLINK="${TEST_SSH_PLINK}"  
TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}"  
TEST_SSH_CONCH="${TEST_SSH_CONCH}"  TEST_SSH_IPV6="${TEST_SSH_IPV6}"  
TEST_SSH_UTF8="${TEST_SSH_UTF8}"  TEST_SSH_ECC="${TEST_SSH_ECC}"  
TEST_SHELL="sh"  EXEEXT=""  tests && echo all tests passed
test "x" = "x" || mkdir -p 
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/valgrind-out
set -e ; if test -z "" ; then  V="" ;  test "x" = "x" ||  
V=/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/valgrind-unit.sh 
;  $V 
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshbuf/test_sshbuf 
;  $V 
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshkey/test_sshkey 
  -d 
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/sshkey/testdata 
;  $V 
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/bitmap/test_bitmap 
;  $V 
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/conversion/test_conversion 
;  $V 
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/kex/test_kex 
;  $V 
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/hostkeys/test_hostkeys 
  -d 
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/hostkeys/testdata 
;  $V 
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/match/test_match 
;  if test "xyes" = "xyes"  ; then  $V 
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress/unittests/utf8/test_utf8 
;  fi  fi
test_sshbuf: 
.................................................................................................... 
101 tests ok
test_sshkey: ....................................
regress/unittests/sshkey/test_file.c:74 test #37 "parse RSA from private 
w/ passphrase"
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, (const char 
*)sshbuf_ptr(pw), &k2, NULL), 0) failed:
sshkey_parse_private_fileblob(buf, (const char *)sshbuf_ptr(pw), &k2, 
NULL) = -4
            0 = 0
Abort trap (core dumped)
*** Error code 134

Stop.
make[1]: stopped in 
/usr/ports/security/openssh-portable/work/openssh-7.7p1/regress
*** Error code 1

Stop.
make: stopped in /usr/ports/security/openssh-portable/work/openssh-7.7p1
*** Error code 1

Stop.
make: stopped in /usr/ports/security/openssh-portable

[brnrd at build openssh-portable]$ [?2004h[?2004l


Script done on Fri Apr  6 21:50:47 2018


More information about the openssh-unix-dev mailing list