#9515 enhancement closed fixed (fixed)

conch can't read OpenSSH new-format (bcrypt KDF) private keys

Reported by: Colin Watson Owned by: Wim L <wiml@…>
Priority: normal Milestone:
Component: conch Keywords: review
Cc: Branch: 9515-openssh-key-v1
branch-diff, diff-cov, branch-cov, buildbot


OpenSSH 7.8's interoperability tests fail with current Twisted. I tracked this down to the fact that conch doesn't know how to read the new bcrypt-KDF-based private key format that was introduced in OpenSSH 6.5 and made the default in 7.8 (and therefore the test failures can be worked around by patching the OpenSSH test suite to use "ssh-keygen -m PEM" for the conch tests).

https://github.com/twisted/twisted/pull/644/files makes a start at dealing with this, but its parsing code is pretty hacky and in any case it isn't sufficient to solve the problem here, because it only handles Ed25519 keys in the new format. I have most of a patch which I've been able to use to read the full matrix of OpenSSH private keys with (RSA, DSA, ECDSA) x (unencrypted, encrypted) x (old format, new format); I'll post a PR as soon as I've finished polishing it up for submission.

Change History (3)

comment:1 Changed 12 months ago by Colin Watson

Keywords: review added

comment:2 Changed 10 months ago by Wim Lewis

Branch: 9515-openssh-key-v1

comment:3 Changed 10 months ago by Wim L <wiml@…>

Owner: set to Wim L <wiml@…>
Resolution: fixed
Status: newclosed

In 487dc1b:

Merge pull request #1053 from cjwatson/9515-openssh-key-v1

Author: cjwatson
Reviewer: lvh, wiml
Fixes: ticket:9515

Add support for new OpenSSH private key format

Note: See TracTickets for help on using tickets.