Timeline for Converting putty private key to openssh format causing Invalid key length failure
Current License: CC BY-SA 4.0
11 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jul 6, 2023 at 5:55 | comment | added | dave_thompson_085 |
Okay, if a 2047-bit key generated by openssl works but one converted by puttygen doesn't, I give up. There is nothing that should be different between those.
|
|
| Jul 3, 2023 at 8:07 | comment | added | János Geringer | Yes and yes. So, it's openssl 3.0.9 and ssh accept it without hesitation. | |
| Jul 1, 2023 at 4:46 | comment | added | dave_thompson_085 |
You're using OpenSSL 3.0.0 up? That writes PKCS8 format (BEGIN/END PRIVATE KEY or ENCRYPTED PRIVATE KEY) while older writes 'traditional' PKCS1 format (RSA PRIVATE KEY) which is slightly smaller, but length is also affected by setting a password and some random factors. OpenSSH should read either, as well as (>=6.5) its own 'new' format (OPENSSH PRIVATE KEY). My question was: does openssl genrsa 2047 create a key AND does (Fedora) ssh accept THAT (2047-bit) key?
|
|
| Jun 30, 2023 at 19:10 | comment | added | János Geringer | It's working. Generates a private key without error. I'm just curious, it generates a key which begins with -----BEGIN PRIVATE KEY------ while the one which was converted from putty key begins with -----BEGIN RSA PRIVATE KEY------ And if I pipe the new key to file it's 1700byte while the converted is 1663 | |
| Jun 28, 2023 at 11:56 | comment | added | dave_thompson_085 |
Gack! I didn't notice Fedora! Is your putty from the Fedora packagers or elsewhere? RHEL 8 up and Fedora I-don't-know-exactly-which have systemwide crypto policies that apply to most if not all distro packages and it appears now rejects RSA<2048 by default. If you run openssl genrsa 2047 does it generate a key and does that key work in OpenSSH?
|
|
| Jun 28, 2023 at 9:19 | comment | added | János Geringer | @dave_thompson_085 Yes. In fact, I've tried to specify it with 'ssh -i' as well. Odd is, if I generate a new key on my Fedora and copy the new public key to the target it works. But I guess, I confirmed it's an ssh client issue on Fedora as I've tried it from another laptop with Wim10 and MobaXterm IT WORKS. I also tried it from a CoreELEC Linux box CoreELEC:~ # ssh -V OpenSSH_9.2p1, OpenSSL 3.0.8 7 Feb 2023 and work from there as well. But I still don't know what could be the problem with 8.8.p1 as I 'm using with default config. | |
| Jun 27, 2023 at 6:32 | comment | added | dave_thompson_085 |
I don't understand either; 2047 bit should be valid. Assuming id_rsa is the same as privat.pem -- did you confirm that?
|
|
| Jun 25, 2023 at 20:45 | comment | added | János Geringer |
@dave_thompson_085 I use openssh 8.8p1 without RA keysize restriction and according to : openssl rsa -in privat.pem -text -noout 'Private-Key: (2047 bit, 2 primes) But I don't get it why it is working with putty - on Win10 and on Fedora- and not with openssh client
|
|
| Jun 25, 2023 at 3:16 | comment | added | dave_thompson_085 | What is the 'size' (bits in modulus) of your key? If you are using very recent OpenSSH (>=9.1) check if it is configured (in ~/.ssh/config or /etc/ssh/ssh_config or similar, or with a wrapping script or alias) to have option RequiredRSASize (in any case, but that's canonical) set too high for your key. | |
| S Jun 24, 2023 at 20:46 | review | First questions | |||
| Jun 24, 2023 at 20:53 | |||||
| S Jun 24, 2023 at 20:46 | history | asked | János Geringer | CC BY-SA 4.0 |