OpenSSH private key format errors with LibreSSL 2.7

Sat Apr 7 22:30:22 AEST 2018

On Saturday 07 April 2018 11:50:15 Bernard Spil wrote:
> On 2018-04-07 11:24, Bernard Spil wrote:
> > On 2018-04-07 9:04, Joel Sing wrote:
> >> On Friday 06 April 2018 21:31:01 Bernard Spil wrote:
> >>> Hi,
> >>> 
> >>> When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA
> >>> and
> >>> ECDSA private keys.
> >>> 
> >>>      Error loading key "./id_rsa": invalid format
> >>> 
> >>> Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed
> >>> this
> >>> issue early on with LibreSSL 2.7 by converting the key to "new file
> >>> format" (to verify the ecdsa key wasn't corrupted I loaded it in
> >>> 
> >>> Fail:
> >>> -----BEGIN EC PRIVATE KEY-----
> >>> Proc-Type: 4,ENCRYPTED
> >>> DEK-Info: AES-128-CBC,<snip>
> >>> 
> >>> -----BEGIN RSA PRIVATE KEY-----
> >>> Proc-Type: 4,ENCRYPTED
> >>> DEK-Info: AES-128-CBC,<snip>
> >>> 
> >>> Success (both keys after converting):
> >>> -----BEGIN OPENSSH PRIVATE KEY-----
> >>> 
> >>> I've been digging through ssh-keygen to find a way to convert them
> >>> but
> >>> have yet to find the right knobs. -e only exports public keys.
> >>> 
> >>> Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2.
> >>> 
> >>> Any hints?
> >> 
> >> What does the following say, when compiled with 2.7.2:
> >> 
> >> $ openssl version
> >> $ openssl rsa -in ~/.ssh/id_rsa -noout ; echo $?
> >> $ ssh -V
> > 
> > Meanwhile I've figured out that I can prevent issues if I convert the
> > private key file to new format with
> > 
> >    ssh-keygen -po -f keyfile

This is a workaround - it uses an OpenSSH specific format, rather than 
OpenSSL's encrypted PEM.

> > I had saved my old key as id_rsa-oldformat
> > 
> > $ openssl version
> > LibreSSL 2.7.2
> > $ openssl rsa -in ~/.ssh/id_rsa-oldformat -noout
> > Enter pass phrase for /home/bernard/.ssh/id_rsa-oldformat:
> > $ echo $?
> > 0

This confirms that LibreSSL 2.7.2 can still read, decode and decrypt the key.

> > $ ssh -V
> > OpenSSH_7.2p2, LibreSSL 2.7.1
> > $ /usr/local/bin/ssh -V
> > OpenSSH_7.6p1, LibreSSL 2.7.1
> > 
> > I see that I need to recompile ssh with 2.7.2, the libraries they use
> > are 2.7.2 not 2.7.1.
> > 
> > Cheers, Bernard.
> 
> To rule out issues with OpenSSH in base or ports on FreeBSD, I've now
> built a vanilla OpenSSH 7.7p1 linked against LibreSSL. No change.
> 
> $ ./configure --prefix=$HOME/openssh
> $ make
> $ make instal
> $ cd ~/openssh/bin
> $ ./ssh -V
> OpenSSH_7.7p1, LibreSSL 2.7.2
> $ ldd ./ssh
> ./ssh:
>          libcrypto.so.43 => /lib/libcrypto.so.43 (0x8008c3000)
>          libutil.so.9 => /lib/libutil.so.9 (0x800cab000)
>          libz.so.6 => /lib/libz.so.6 (0x800ebf000)
>          libcrypt.so.5 => /lib/libcrypt.so.5 (0x8010d8000)
>          libc.so.7 => /lib/libc.so.7 (0x8012f7000)
> $ ./ssh-add ~/.ssh/id_rsa-oldformat
> Error loading key "/home/bernard/.ssh/id_rsa-oldformat": invalid format

I've built LibreSSL 2.7.2 portable and OpenSSH 7.7p1 on a clean system:

$ ./ssh -V
OpenSSH_7.7p1, LibreSSL 2.7.2
$ ./ssh-add 
Enter passphrase for /home/joel/.ssh/id_rsa: 
Identity added: /home/joel/.ssh/id_rsa (/home/joel/.ssh/id_rsa)

The only thing that really changed from 2.6.4 to 2.7.2 in this area was the 
auto-initialisation. I suspect that there is something with your environment 
that is triggering the problem. The failure you're seeing is most likely 
coming from the PEM_read_bio_PrivateKey() call in 
sshkey_parse_private_pem_fileblob() - adding the following after line 3772 of 
sshkey.c may give us some insight:

  ERR_print_errors_fp(stderr);