OpenSSH private key format errors with LibreSSL 2.7
Bernard Spil
brnrd at freebsd.org
Sat Apr 7 19:24:13 AEST 2018
On 2018-04-07 9:04, Joel Sing wrote:
> On Friday 06 April 2018 21:31:01 Bernard Spil wrote:
>> Hi,
>>
>> When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA and
>> ECDSA private keys.
>>
>> Error loading key "./id_rsa": invalid format
>>
>> Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed
>> this
>> issue early on with LibreSSL 2.7 by converting the key to "new file
>> format" (to verify the ecdsa key wasn't corrupted I loaded it in
>>
>> Fail:
>> -----BEGIN EC PRIVATE KEY-----
>> Proc-Type: 4,ENCRYPTED
>> DEK-Info: AES-128-CBC,<snip>
>>
>> -----BEGIN RSA PRIVATE KEY-----
>> Proc-Type: 4,ENCRYPTED
>> DEK-Info: AES-128-CBC,<snip>
>>
>> Success (both keys after converting):
>> -----BEGIN OPENSSH PRIVATE KEY-----
>>
>> I've been digging through ssh-keygen to find a way to convert them but
>> have yet to find the right knobs. -e only exports public keys.
>>
>> Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2.
>>
>> Any hints?
>
> What does the following say, when compiled with 2.7.2:
>
> $ openssl version
> $ openssl rsa -in ~/.ssh/id_rsa -noout ; echo $?
> $ ssh -V
Meanwhile I've figured out that I can prevent issues if I convert the
private key file to new format with
ssh-keygen -po -f keyfile
I had saved my old key as id_rsa-oldformat
$ openssl version
LibreSSL 2.7.2
$ openssl rsa -in ~/.ssh/id_rsa-oldformat -noout
Enter pass phrase for /home/bernard/.ssh/id_rsa-oldformat:
$ echo $?
0
$ ssh -V
OpenSSH_7.2p2, LibreSSL 2.7.1
$ /usr/local/bin/ssh -V
OpenSSH_7.6p1, LibreSSL 2.7.1
I see that I need to recompile ssh with 2.7.2, the libraries they use
are 2.7.2 not 2.7.1.
Cheers, Bernard.
More information about the openssh-unix-dev
mailing list