4

When I exported my private key in PuttyGen, I assumed that the passphrase I set was also used on the openSSH version. I'm finding that the passphrase I put in isn't working. What's the right way to export my private key in openSSH format with a passphrase?

To transfer the exported ssh key to linux, I just pasted it into nano, and tried to ssh-add it. It prompts me for a passphrase, but doesn't accept the one I gave it. PuttyGen imports it fine with that passphrase tho..

Improve this question
1
  • Try to rephrase your question, using terms "password" and "passphrase" correctly. You seem mistake one for another, making your question hard to follow.
    – Martin Prikryl
    Commented Apr 17, 2015 at 6:17

1 Answer 1

Reset to default
1

The Windows PuTTYgen's "Export OpenSSH key" does encrypt the key with 3DES-CBC. If the passphrase is non-empty, the output file says so:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,157A04D5AE43F45B

NiGUXnTOhATzg4dGvyXs8rzetF7KpplJJIKrZvQunXuVcZhVS+NTpnTgwJb+zOCm
...

I've tested this on various versions over the past 4 years. If the passphrase is empty, I even get an "Are you sure?" prompt.

The Linux puttygen also always uses the same passphrase when converting.

For RSA & DSA keys, OpenSSH uses the same 'raw' key format as OpenSSL. So if 3DES-CBC is not sufficient, you can use the openssl command-line tool to reencrypt them:

openssl rsa -aes-128-cbc < old.key > new.key

On Unix of course OpenSSH's own ssh-keygen is better:

ssh-keygen -p -f old.key
Improve this answer
5
  • So the strange thing is that if I export the key, copy it to a centos machine, and do an ssh-add, it asks for the passphrase and when i put it in, it tells me its incorrect. If i press enter when it prompts me, it quits without comment - which i was taking to be passwordless entry. I can see via ssh-add -l that no keys have been loaded. So why is my key's password not working?
    – B T
    Commented Apr 16, 2015 at 22:00
  • Is whitespace important before or after the "begin/end RSA private key" parts? The way I created my key was just to paste it in nano.
    – B T
    Commented Apr 16, 2015 at 23:28
  • @BT: Yes; you can have empty lines and stuff around the whole key, but not inside the key.
    – grawity_u1686
    Commented Apr 17, 2015 at 18:27
  • Hm, thats what I thought. Very strange..
    – B T
    Commented Apr 22, 2015 at 3:31
  • @BT In particular all line breaks within the dash-BEGIN to dash-END block must remain the same, including exactly one blank line between DEK-Info and the first base64. Does openssl rsa <key give any different/better error message? Is your passphrase entirely ASCII printable characters? (Others may work differently depending on Windows regional settings and Linux locale.)
    – dave_thompson_085
    Commented May 1, 2015 at 12:27

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .