No support for "OPENSSH PRIVATE KEY" format ssh keys

Question

No support for "OPENSSH PRIVATE KEY" format ssh keys

Closed this issue 5 years ago · 3 comments

In the most recent versions of OSX, the default ssh keys are in OPENSSH PRIVATE KEY format.

This serverfault thread talks about the OSX behavior change: https://serverfault.com/questions/939909/ssh-keygen-does-not-create-rsa-private-key

A workaround that has worked for the folks using jass at Segment is to reformat the private keys created in the OPENSSH PRIVATE KEY format with

ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

Longer term, I'm planning to make a fork of jass and add support for OPENSSH PRIVATE KEY format. Will report back if I'm successful getting that to work.

Answer 1 · 2019-05-10T13:28:00.000Z

Thanks for reporting this issue. I don't know when I'll have the time to look at implementing support for this, so I'd certainly appreciate a PR if you get to it first. :-) The hacky way might be to shell out to ssh-keygen and convert the key on the fly, but that brings with it a dependency on an ssh-keygen version that supports the given format. (One may well assume that to be present when a key in that format is found, but you never know.) If we want to go down the road of supporting the format natively, then the OpenSSH key format is documented here: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key While here, we should probably add support for keys other than RSA, which jass(1) currently assumes.

Answer 2 · 2019-05-23T00:30:43.000Z

I decided to use 1Password for the purpose I've been using jass for, so my motivation to fix this issue has kind of gone away.

Answer 3 · 2019-05-25T01:10:51.000Z

This should be resolved per my last commit - at least for unencrypted private keys. I will see if I can make time to look into adding support for encrypted private keys in this format, too.