https://bugzilla.mindrot.org/show_bug.cgi?id=3190
Bug ID: 3190
Summary: Inconsistent handling of private keys without
accompanying public keys
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs@mindrot.org
Reporter: jjelen@redhat.com
It comes up from time to time that somebody uses private key without
public key in separate file. OpenSSH is trying to be helpful to read
the separate public key file initially, to prevent decrypting private
keys to early, but currently it is very inconsistent. See the following
steps:
1) generate private key (unencrypted, in openssh format)
$ ssh-keygen -f /tmp/rsa -N ''
2) remove public part
$ rm /tmp/rsa.pub
3) ssh-keygen handles this use case well:
$ ssh-keygen -lf /tmp/rsa
4) We can add the key simply to ssh-agent:
$ ssh-add /tmp/rsa0
5) Whoops, we can not remove it afterward (this error message is very
confusing since it refers to /tmp/rsa.pub and /tmp/rsa is in place):
$ ssh-add -d /tmp/rsa
Bad key file /tmp/rsa: No such file or directory
6) Using the key from ssh gives bogus warnings, even though the key is
used afteward without any issues:
$ ssh -v -i /tmp/rsa localhost
[...]
debug1: identity file /tmp/rsa type -1
debug1: identity file /tmp/rsa-cert type -1
[...]
debug1: Trying private key: /tmp/rsa
debug1: Authentication succeeded (publickey).
I think the requirement of the separate public key made sense in the
encrypted legacy file formats, but the new OpenSSH file format stores
public key already inside of the private key container and if the key
is not encrypted at all, sidecar file should not be needed either.
I believe we should drop the requirement for separate public key file
at least in these cases and make the above more consistent.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3190
Summary: Inconsistent handling of private keys without
accompanying public keys
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs@mindrot.org
Reporter: jjelen@redhat.com
It comes up from time to time that somebody uses private key without
public key in separate file. OpenSSH is trying to be helpful to read
the separate public key file initially, to prevent decrypting private
keys to early, but currently it is very inconsistent. See the following
steps:
1) generate private key (unencrypted, in openssh format)
$ ssh-keygen -f /tmp/rsa -N ''
2) remove public part
$ rm /tmp/rsa.pub
3) ssh-keygen handles this use case well:
$ ssh-keygen -lf /tmp/rsa
4) We can add the key simply to ssh-agent:
$ ssh-add /tmp/rsa0
5) Whoops, we can not remove it afterward (this error message is very
confusing since it refers to /tmp/rsa.pub and /tmp/rsa is in place):
$ ssh-add -d /tmp/rsa
Bad key file /tmp/rsa: No such file or directory
6) Using the key from ssh gives bogus warnings, even though the key is
used afteward without any issues:
$ ssh -v -i /tmp/rsa localhost
[...]
debug1: identity file /tmp/rsa type -1
debug1: identity file /tmp/rsa-cert type -1
[...]
debug1: Trying private key: /tmp/rsa
debug1: Authentication succeeded (publickey).
I think the requirement of the separate public key made sense in the
encrypted legacy file formats, but the new OpenSSH file format stores
public key already inside of the private key container and if the key
is not encrypted at all, sidecar file should not be needed either.
I believe we should drop the requirement for separate public key file
at least in these cases and make the above more consistent.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs