Keep number of rounds when changing passphrase or comment in private keep file

Loïc loic at
Fri Apr 10 00:13:10 AEST 2020


And by the way, I created a small python script to partialy parse the
private key file (new format) to be able to verify that my patch is
working correctly.

Here is the script attached.

Just run it with the private key file in argument:

$ prog/ test
ciphername: aes256-ctr
kdfname: bcrypt
rounds: 16
salt: d2b48709d4363adedc0ceb698916bc93
nkeys: 1
public_key len: 51
encrypted_len: 160

Hope it helps

Best regards


On 09/04/2020, Loïc wrote :
> Hi,
> In ssh-keygen, if I set the number of rounds to a non default value
> using -a option and then change the passphrase or the comment:
> $ ssh-keygen -t ed25519 -Pfoobar -a 100 -f test
> $ ssh-keygen -c -C "foobar comment" -Pfoobar -f test
> The number of rounds is reset to the default value.
> I find this annoying because if I set the number of rounds to a given
> high number for security, I don't want it to be reduce behind my back
> when I change the passphrase or the comment.
> So, I have created patches to change this and make sure the number of
> rounds is preserved if it is not forced when changing the comment or
> passphrase.
> I will send them in the following emails. There are based on the
> portable git (||
> I'm open to your comments (in particular, I'm not pleased with the name
> of the struct sshkey_vault). Also, I'm wondering if the comment itself
> shouldn't be move to this structure.
> Also, I'm considering to add more field to this structure, like the salt
> and cypher, in order to add a feature that display the information about
> the keyfile (type, cypher type, key derivation type, number of rounds,
> comment...)
> Thank you
> Best regards
> Loïc
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at
-------------- next part --------------
A non-text attachment was scrubbed...
Type: text/x-python
Size: 2783 bytes
Desc: not available
URL: <>

More information about the openssh-unix-dev mailing list