https://bugzilla.mindrot.org/show_bug.cgi?id=1550
--- Comment #1 from Jim Knoble <jmknoble@pobox.com> 2009-01-23 07:52:35 ---
Date: Tue, 20 Jan 2009 20:42:38 -0500
From: Jim Knoble <jmknoble@pobox.com>
To: OpenSSH Devel <openssh-unix-dev@mindrot.org>
Subject: Re: OpenSSH private key encryption: time for AES?
Message-ID: <20090121014237.GD29074@crawfish.ais.com>
Mail-Followup-To: OpenSSH Devel <openssh-unix-dev@mindrot.org>
References: <20090120060635.GA29074@crawfish.ais.com>
<alpine.BSO.1.10.0901201822540.5492@fuyu.mindrot.org>
In-Reply-To: <alpine.BSO.1.10.0901201822540.5492@fuyu.mindrot.org>
Circa 2009-01-20 02:30 dixit Damien Miller:
: On Tue, 20 Jan 2009, Jim Knoble wrote:
:
: > [...]how can i encrypt my 4096-bit SSH RSA keypair with
: > something like AES-128, AES-256, or Twofish instead of 3DES and
still
: > use it with OpenSSH? Can ssh-add read (unencrypted) key data from
stdin?
Experimentation has shown that the following will add a key to a
running
ssh-agent (OpenSSH_4.6p1, Ubuntu 7.10):
$ cat id_rsa-unencrypted |ssh-add /dev/stdin
$ ssh-add -l |fgrep /dev/stdin
2048 xx:xx:xx:...:xx:xx:xx /dev/stdin (RSA)
$
However, the following will not remove the key from the agent:
$ cat id_rsa-unencrypted |ssh-add -d /dev/stdin
Bad key file /dev/stdin
$
If both operations worked, then one could use an external
encryption/decryption facility with one's private keys, e.g.:
openssl enc -d -in ~/.ssh/id_rsa -aes-256-cbc |ssh-add /dev/stdin
(although it would take a passphrase to remove a key from ssh-agent).
: If you want to change it then you can do something like [a one-liner
: change to authfile.c]. It probably wouldn't hurt to change - new
: installations will still be able to read old keys
It would be nice for newer OpenSSH to be able to produce private keys
usable by older OpenSSH as well.
Any chance of an option in ssh-keygen to specify the cipher? E.g.:
# Use '-E' with any of: 3des-cbc, aes128-cbc, aes192-cbc,
aes256-cbc
ssh-keygen -t rsa -E aes256-cbc
Alternatively:
# Encrypt with AES-256:
ssh-keygen -t rsa -A
# Encrypt with 3DES:
ssh-keygen -t rsa -3
# Use default encryption:
ssh-keygen -t rsa
Finally:
# Encrypt with AES-256:
ssh-keygen -t rsa
# Encrypt with 3DES ('-O' for "old"):
ssh-keygen -t rsa -O:1
Cheers,
jim
--
jim knoble | jmknoble@pobox.com | http://www.pobox.com/~jmknoble/
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
--- Comment #1 from Jim Knoble <jmknoble@pobox.com> 2009-01-23 07:52:35 ---
Date: Tue, 20 Jan 2009 20:42:38 -0500
From: Jim Knoble <jmknoble@pobox.com>
To: OpenSSH Devel <openssh-unix-dev@mindrot.org>
Subject: Re: OpenSSH private key encryption: time for AES?
Message-ID: <20090121014237.GD29074@crawfish.ais.com>
Mail-Followup-To: OpenSSH Devel <openssh-unix-dev@mindrot.org>
References: <20090120060635.GA29074@crawfish.ais.com>
<alpine.BSO.1.10.0901201822540.5492@fuyu.mindrot.org>
In-Reply-To: <alpine.BSO.1.10.0901201822540.5492@fuyu.mindrot.org>
Circa 2009-01-20 02:30 dixit Damien Miller:
: On Tue, 20 Jan 2009, Jim Knoble wrote:
:
: > [...]how can i encrypt my 4096-bit SSH RSA keypair with
: > something like AES-128, AES-256, or Twofish instead of 3DES and
still
: > use it with OpenSSH? Can ssh-add read (unencrypted) key data from
stdin?
Experimentation has shown that the following will add a key to a
running
ssh-agent (OpenSSH_4.6p1, Ubuntu 7.10):
$ cat id_rsa-unencrypted |ssh-add /dev/stdin
$ ssh-add -l |fgrep /dev/stdin
2048 xx:xx:xx:...:xx:xx:xx /dev/stdin (RSA)
$
However, the following will not remove the key from the agent:
$ cat id_rsa-unencrypted |ssh-add -d /dev/stdin
Bad key file /dev/stdin
$
If both operations worked, then one could use an external
encryption/decryption facility with one's private keys, e.g.:
openssl enc -d -in ~/.ssh/id_rsa -aes-256-cbc |ssh-add /dev/stdin
(although it would take a passphrase to remove a key from ssh-agent).
: If you want to change it then you can do something like [a one-liner
: change to authfile.c]. It probably wouldn't hurt to change - new
: installations will still be able to read old keys
It would be nice for newer OpenSSH to be able to produce private keys
usable by older OpenSSH as well.
Any chance of an option in ssh-keygen to specify the cipher? E.g.:
# Use '-E' with any of: 3des-cbc, aes128-cbc, aes192-cbc,
aes256-cbc
ssh-keygen -t rsa -E aes256-cbc
Alternatively:
# Encrypt with AES-256:
ssh-keygen -t rsa -A
# Encrypt with 3DES:
ssh-keygen -t rsa -3
# Use default encryption:
ssh-keygen -t rsa
Finally:
# Encrypt with AES-256:
ssh-keygen -t rsa
# Encrypt with 3DES ('-O' for "old"):
ssh-keygen -t rsa -O:1
Cheers,
jim
--
jim knoble | jmknoble@pobox.com | http://www.pobox.com/~jmknoble/
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs