Hello everyone,
we had the pubkey file of an SSH keypair damaged during the transfer to
the target system today, and a part of the resulting confusion resulted
from the fact that when you ask ssh-keygen to fingerprint the *priv*key,
the output may actually represent the *pub*key file's content instead.
Reproduced on another machine:
$ ssh-keygen -t rsa -b 2048 -C foo -f orig
$ cp orig priv
$ ssh-keygen -l -f priv
2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo (RSA)
(No pubkey file -> data from the privkey.)
$ sed -e 's/$/-bar/' orig.pub > priv.pub
$ ssh-keygen -l -f priv
2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo-bar (RSA)
(*Changed* comment from the pubkey file.)
$ sed -e 's/$/-bar/' -e 's/^s//' orig.pub > priv.pub
$ ssh-keygen -l -f priv
2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo (RSA)
(*Broken* pubkey -> data from the privkey.)
$ sed -e 's/$/-bar/' -e 's/0/1/' orig.pub > priv.pub
$ ssh-keygen -l -f priv
2048 SHA256:SYhgtUsy0c0zEj4avKjiiqd+FyTXQeA+Tzq9wIafnhU foo-bar (RSA)
(Pubkey with *some* flipped bits -> still gets accepted -> fingerprint
and comment from the pubkey file.)
$ sed -e 's/$/-bar/' -e 's/[1-9]/0/g' orig.pub > priv.pub
$ ssh-keygen -l -f priv
2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo (RSA)
(Pubkey with *major* modifications -> apparently found not to match the
privkey -> data from the privkey.)
$ ssh -V
OpenSSH_8.7p1, OpenSSL 1.1.1n FIPS 15 Mar 2022
... is this behavior intentional?
Thanks in advance,
--
Jochen Bern
Systemingenieur
Binect GmbH
we had the pubkey file of an SSH keypair damaged during the transfer to
the target system today, and a part of the resulting confusion resulted
from the fact that when you ask ssh-keygen to fingerprint the *priv*key,
the output may actually represent the *pub*key file's content instead.
Reproduced on another machine:
$ ssh-keygen -t rsa -b 2048 -C foo -f orig
$ cp orig priv
$ ssh-keygen -l -f priv
2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo (RSA)
(No pubkey file -> data from the privkey.)
$ sed -e 's/$/-bar/' orig.pub > priv.pub
$ ssh-keygen -l -f priv
2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo-bar (RSA)
(*Changed* comment from the pubkey file.)
$ sed -e 's/$/-bar/' -e 's/^s//' orig.pub > priv.pub
$ ssh-keygen -l -f priv
2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo (RSA)
(*Broken* pubkey -> data from the privkey.)
$ sed -e 's/$/-bar/' -e 's/0/1/' orig.pub > priv.pub
$ ssh-keygen -l -f priv
2048 SHA256:SYhgtUsy0c0zEj4avKjiiqd+FyTXQeA+Tzq9wIafnhU foo-bar (RSA)
(Pubkey with *some* flipped bits -> still gets accepted -> fingerprint
and comment from the pubkey file.)
$ sed -e 's/$/-bar/' -e 's/[1-9]/0/g' orig.pub > priv.pub
$ ssh-keygen -l -f priv
2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo (RSA)
(Pubkey with *major* modifications -> apparently found not to match the
privkey -> data from the privkey.)
$ ssh -V
OpenSSH_8.7p1, OpenSSL 1.1.1n FIPS 15 Mar 2022
... is this behavior intentional?
Thanks in advance,
--
Jochen Bern
Systemingenieur
Binect GmbH