How can I convert a public key generated by PuTTY to RFC 4716 format?

Question

I am using PuTTYgen in order to generate public and private key. My question is, how could I convert this files to RFC4716 format?

PuTTYgen allows me to save the public key under a general format, example: File Format: All Files(*.*) and the private key under the native PuTTY format. PuTTYgen also allows exporting the keys as OpenSSH or ssh.com.

Despite that, I can't find any option which allows me to convert the file to RFC 4716 format. Is anyone aware of any solution? My operating system is Windows. I appreciate any help you can provide!

Answer 1

tl;dr

For an example key (output by PuTTY):

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20140607"
AAAAB3NzaC1yc2EAAAABJQAAAQEAs+UjC01Fk8xs8vpLW1RIipwxG1zXTaCkIdeJ
K3SyhMVl78/QwErTYuIop3wVmVAuTKhw4uYCMaRZCy36FdSGQ9FwDCP+lT36M2Xv
ZtraweH+1IPHzRf2ENNdEfs286zllu96WGtqLYwObXQbHMm3dPDDbH3apynrS/FJ
HisCayFXFN84aBfh9HFHrM++BXqpxTX5nq50QoRwSjMY6qMuLwjJKKQslcb5hlRV
SjCmUZKv9/fH+i0BI7UHJ01XHNp1sisL5biWkakXD9BxXjv/ggyeLsOTtdtrF0DK
7wYQXyNmpRqHYOBdrZlskHf/R1CtWoBi5IIeARWZVDduXf1Pww==
---- END SSH2 PUBLIC KEY ----

The one-line format (eg as expected by authorized_keys) is:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAs+UjC01Fk8xs8vpLW1RIipwxG1zXTaCkIdeJK3SyhMVl78/QwErTYuIop3wVmVAuTKhw4uYCMaRZCy36FdSGQ9FwDCP+lT36M2XvZtraweH+1IPHzRf2ENNdEfs286zllu96WGtqLYwObXQbHMm3dPDDbH3apynrS/FJHisCayFXFN84aBfh9HFHrM++BXqpxTX5nq50QoRwSjMY6qMuLwjJKKQslcb5hlRVSjCmUZKv9/fH+i0BI7UHJ01XHNp1sisL5biWkakXD9BxXjv/ggyeLsOTtdtrF0DK7wYQXyNmpRqHYOBdrZlskHf/R1CtWoBi5IIeARWZVDduXf1Pww==

There's no magical command to convert here. If you look close, I just removed a few lines, removed the newlines, and prepended it with ssh-rsa

Explanation

The default format that putty uses is defined in RFC4716.

From man ssh-keygen, ssh-keygen supports 3x formats:

1. RFC4716
2. PKCS8
3. PEM

 -m key_format
        Specify a key format for the -i (import) or -e (export) conver‐
        sion options.  The supported key formats are: “RFC4716” (RFC
        4716/SSH2 public or private key), “PKCS8” (PEM PKCS8 public key)
        or “PEM” (PEM public key).  The default conversion format is
        “RFC4716”.  Setting a format of “PEM” when generating or updating
        a supported private key type will cause the key to be stored in
        the legacy PEM private key format.

The default used by ssh-keygen and PuTTY is actually the same (RFC4716), except that the id_rsa.pub file puts it on one line, which is what the authorized_keys file expects.

Example Key

For example, I'll generate a new key in Debian 10:

user@disp8452:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:lrwmOoBF1PEtDbbVkFwREgWqdJlH5ViEYzQpUAyPyNY user@disp8452
The key's randomart image is:
+---[RSA 2048]----+
| ...+*+oX&Oo     |
| ..o.=o@B*.      |
| .+ E Xo=..      |
| ... o + .       |
| o  .   S        |
|. .    . .       |
|   .  . o        |
|    .. o         |
|    ..           |
+----[SHA256]-----+
user@disp8452:~$ cat /home/user/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzU4exWqu4tsgWIJleq1AJ98cGHswD80cphWYOasspBoOPgdv1rljgb9PFAQX19X+rofYi+aYd1glP8BhRC3rt4zE26J54h8tt46DBT1TkFPJ2O3ULhLSqcv9zENGkGB0bfXkvhI0p/tP4b1a0NnvmNME9i6qyo8/7mPLovaKwP1qkd7/a+p1DQr2XoId9U6G4rx0TKsvhbjmDvaCWAm4c5LT3WbQHh301DWiwsN8xn8LkxaO4GtdIqxHOyj7lmQZGw8ixuvoIY/FjgXhSPGmaWLyz2o45TrTNP7vWxWqgcDi2CegziD67+UN4tBZvB9HwR6V3aaCrV59H15ukAtK1 user@disp8452
user@disp8452:~$ 

RFC4716

You can get that in the PuTTY RFC4716 format as follows:

user@disp8452:~$ ssh-keygen -ef /home/user/.ssh/id_rsa -mRFC4716
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by user@disp8452 from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQCzU4exWqu4tsgWIJleq1AJ98cGHswD80cphWYOas
spBoOPgdv1rljgb9PFAQX19X+rofYi+aYd1glP8BhRC3rt4zE26J54h8tt46DBT1TkFPJ2
O3ULhLSqcv9zENGkGB0bfXkvhI0p/tP4b1a0NnvmNME9i6qyo8/7mPLovaKwP1qkd7/a+p
1DQr2XoId9U6G4rx0TKsvhbjmDvaCWAm4c5LT3WbQHh301DWiwsN8xn8LkxaO4GtdIqxHO
yj7lmQZGw8ixuvoIY/FjgXhSPGmaWLyz2o45TrTNP7vWxWqgcDi2CegziD67+UN4tBZvB9
HwR6V3aaCrV59H15ukAtK1
---- END SSH2 PUBLIC KEY ----
user@disp8452:~$ 

Note that the fingerprint line is actually the same, so you can manually convert between the multi-line format output by PuTTY and the one-line format just by removing the BEGIN, Comment, and END lines. Then remove newlines and prepend it with ssh-rsa .

PKCS8

And to be complete, here's the PKCS8 format of the key above:

user@disp8452:~$ ssh-keygen -ef /home/user/.ssh/id_rsa -mPKCS8
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs1OHsVqruLbIFiCZXqtQ
CffHBh7MA/NHKYVmDmrLKQaDj4Hb9a5Y4G/TxQEF9fV/q6H2IvmmHdYJT/AYUQt6
7eMxNuieeIfLbeOgwU9U5BTydjt1C4S0qnL/cxDRpBgdG315L4SNKf7T+G9WtDZ7
5jTBPYuqsqPP+5jy6L2isD9apHe/2vqdQ0K9l6CHfVOhuK8dEyrL4W45g72glgJu
HOS091m0B4d9NQ1osLDfMZ/C5MWjuBrXSKsRzso+5ZkGRsPIsbr6CGPxY4F4Ujxp
mli8s9qOOU60zT+71sVqoHA4tgnoM4g+u/lDeLQWbwfR8Eeld2mgq1efR9ebpALS
tQIDAQAB
-----END PUBLIC KEY-----
user@disp8452:~$

PEM

And the PEM format:

user@disp8452:~$ ssh-keygen -ef /home/user/.ssh/id_rsa -mPEM
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAs1OHsVqruLbIFiCZXqtQCffHBh7MA/NHKYVmDmrLKQaDj4Hb9a5Y
4G/TxQEF9fV/q6H2IvmmHdYJT/AYUQt67eMxNuieeIfLbeOgwU9U5BTydjt1C4S0
qnL/cxDRpBgdG315L4SNKf7T+G9WtDZ75jTBPYuqsqPP+5jy6L2isD9apHe/2vqd
Q0K9l6CHfVOhuK8dEyrL4W45g72glgJuHOS091m0B4d9NQ1osLDfMZ/C5MWjuBrX
SKsRzso+5ZkGRsPIsbr6CGPxY4F4Ujxpmli8s9qOOU60zT+71sVqoHA4tgnoM4g+
u/lDeLQWbwfR8Eeld2mgq1efR9ebpALStQIDAQAB
-----END RSA PUBLIC KEY-----
user@disp8452:~$ 

Answer 2

RFC 4716 format is what the "Save public key" command generates:

RFC 4716 specifies a standard format for storing SSH-2 public keys on disk. Some SSH servers (such as ssh.com's) require a public key in this format in order to accept authentication with the corresponding private key. (Others, such as OpenSSH, use a different format; see section 8.2.10.)

To save your public key in the SSH-2 standard format, press the ‘Save public key’ button in PuTTYgen. PuTTYgen will put up a dialog box asking you where to save the file. Select a directory, type in a file name, and press ‘Save’.

---

A public key in the RFC 4716 format looks like:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "foobar"
AAAAB3NzaC1yc2EAAAABJQAAAQBZ9s5nqsH6bwB1ljF3DHBRs05PpeWIZEYnYRF5
Ri4CTpUlZq2Ne/32qUUKgLTXpGrsbmASqdYLqow5U91slzb5Lg6zfkZsWz+CgAFV
YPQ5/ZbAZHKstvvES8L/RYJBCczSCuJiQbi60OpRryxP2lVQXbWeLrF/xYThW07p
VhyxxOeB1KocM7gfA6etI7GkQBppFuE/gW1c+efzx6GQNaacimm9k7gSdd+t2JZx
x6WmMmTHxDzCcGz4DCjpctG2AHFu6RcguvhX4G4Dk+Q53Hu1+9OvocJXrXxvPbdu
qU9YwfGHe6ZRXTpV/5XvSXvkIr3moKyXiCAzSD20yffEAXT7
---- END SSH2 PUBLIC KEY ----