[Bug 2570] New: ssh-keygen -p will convert openssh-format keyfiles back to pem, improperly?

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon May 23 10:31:59 AEST 2016


https://bugzilla.mindrot.org/show_bug.cgi?id=2570

            Bug ID: 2570
           Summary: ssh-keygen -p will convert openssh-format keyfiles
                    back to pem, improperly?
           Product: Portable OpenSSH
           Version: 7.2p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: friedman+mindrot at splode.com

Created attachment 2816
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2816&action=edit
shell session log

OS: Fedora 23 x86_64

In the attached session log, I created an ecdsa key in pem format with
no password.  I then use "ssh-keygen -p" to change the password (but
actually keep choosing to blank it) but add "-o" to convert the file to
the new openssh format.  After I run ssh-keygen -p again to convert the
file back to pem format, the contents of the file has changed
drastically and ssh-add can no longer read it.

This behavior occurs with ssh 6.9p1 or ssh 7.2p2 whenever it runs
against openssl 1.0.2 shared libs.  When run against openssl 1.0.1
shared libs, the last pem-format key file can still be loaded.

In my real usage I had a passphrase on my keys.  For the purpose of
this test I used a blank password, but I get the same behavior with or
without a password.

I don't know if the problem is that the openssh->pem conversion is
buggy or if there is an API breakage between openssl 1.0.1 and 1.0.2.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list