Opened 10 months ago

Closed 8 months ago

#9515 enhancement closed fixed (fixed)

conch can't read OpenSSH new-format (bcrypt KDF) private keys

Reported by: Colin Watson Owned by: Wim L <wiml@…>
Priority: normal Milestone:
Component: conch Keywords: review
Cc: Branch: 9515-openssh-key-v1
branch-diff, diff-cov, branch-cov, buildbot
Author:

Description

OpenSSH 7.8's interoperability tests fail with current Twisted. I tracked this down to the fact that conch doesn't know how to read the new bcrypt-KDF-based private key format that was introduced in OpenSSH 6.5 and made the default in 7.8 (and therefore the test failures can be worked around by patching the OpenSSH test suite to use "ssh-keygen -m PEM" for the conch tests).

https://github.com/twisted/twisted/pull/644/files makes a start at dealing with this, but its parsing code is pretty hacky and in any case it isn't sufficient to solve the problem here, because it only handles Ed25519 keys in the new format. I have most of a patch which I've been able to use to read the full matrix of OpenSSH private keys with (RSA, DSA, ECDSA) x (unencrypted, encrypted) x (old format, new format); I'll post a PR as soon as I've finished polishing it up for submission.

Change History (3)

comment:1 Changed 10 months ago by Colin Watson

Keywords: review added

comment:2 Changed 8 months ago by Wim Lewis

Branch: 9515-openssh-key-v1

comment:3 Changed 8 months ago by Wim L <wiml@…>

Owner: set to Wim L <wiml@…>
Resolution: fixed
Status: newclosed

In 487dc1b:

Merge pull request #1053 from cjwatson/9515-openssh-key-v1

Author: cjwatson
Reviewer: lvh, wiml
Fixes: ticket:9515

Add support for new OpenSSH private key format

Note: See TracTickets for help on using tickets.