Control: severity -1 minor Control: retitle -1 dropbear-bin: dropbearconvert doesn't understand new OpenSSH (>=7.8) private key format
On Mon, 30 Mar 2020 at 22:04:31 +0100, André Rodier wrote:
> The dropbear-bin package, comes with a tool to convert keys fron
> OpenSSL. This tool worked on Stretch, but is now broken on Buster.
dropbearconvert(1) only understands the legacy PEM private key format.
(It should be documented, but I guess at the time the tool was written
the new format didn't exist yet.) Since 1:7.8p1-1 ssh-keygen(1) writes
private keys in a new format, see the OpenSSH changes and/or release
notes. Keys can be generated and converted to PEM using ‘-m PEM’:
$ ssh-keygen -N "" -f /tmp/openssh.key
[…]
$ grep ^--- /tmp/openssh.key
-----BEGIN OPENSSH PRIVATE KEY-----
-----END OPENSSH PRIVATE KEY-----
$ dropbearconvert openssh dropbear /tmp/openssh.key /tmp/dropbear.key
Error: Unrecognised key type
Error reading key from '/tmp/openssh.key'
Convert to PEM:
$ ssh-keygen -p -N "" -m PEM -f /tmp/openssh.key
[…]
Your identification has been saved with the new passphrase.
$ grep ^--- /tmp/openssh.key
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
$ dropbearconvert openssh dropbear /tmp/openssh.key /tmp/dropbear.key
Key is a ssh-rsa key
Wrote key to '/tmp/dropbear.key'
Or generate to PEM directly:
$ ssh-keygen -N "" -m PEM -f /tmp/openssh.key
[…]
$ grep ^--- /tmp/openssh.key
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
$ dropbearconvert openssh dropbear /tmp/openssh.key /tmp/dropbear.key
Key is a ssh-rsa key
Wrote key to '/tmp/dropbear.key'
I'm keeping that bug open but it's really not that important, at most a
documentation issue or a wishlist upstream bug to add support for the
new OpenSSH format in dropbearconvert(1).
--
Guilhem.
signature.asc
Description: PGP signature
