-
Notifications
You must be signed in to change notification settings - Fork 620
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Export Private Keys #968
Comments
Under Settings / Backup pubkeys it says “Keep back-ups of the private keys using Android’s backup mechanism”. The heading of that switch may seem wrong (it should perhaps say “Backup privkeys”), but does this existing feature not solve your use case much more easily? |
You can already go to Manage Pubkeys / long-press your key / Copy private key and then paste that into e.g. an email or messaging or editor app of your choice to export your private key. |
You can't copy the private key if the key has a password (and surely all keys should have a password?), the menu option in Manage Public Keys is greyed out. I'm a bit wary of using the Android backup mechanism - where are the keys backed up (locally on my device, or on a cloud server?) and how do you restore the backup to a fresh installation on a new device....? Or perhaps use the same key with other apps on the same device. |
Copy private key doesn't work. connectbot can't import an ed25519 key that has been copied and saved. The copied key looks far too small. Only 126 bytes. Should be ~400. It looks like the pub key wrapped in priv key encoding. |
Doesn't work for me either. Isn't it time for this to be fixed? What is the point of not being able to save private password protected key. It is very inconvenient to generate new key when someone happen to change their smartphone. |
|
So as far as I'm understanding the "copy private key" button is supossed to be greyed out, even after unlocking the key? I'd like to copy the private key so that I can use it in a seperate sftp app on the same device |
No. It's supposed to put the private key in the clipboard. Instead it puts the public key in the clipboard and wraps it so that it looks like a private key. It's a very long-standing bug, and nothing we do seems to get the attention of the developers. It has also been reported here: #723 |
In my case I can't even manage to copy it, the button stays grayed out even after unlocking the key |
You can long-press and select "Change Password" and set the password to blank, then you can export the private key. |
There is no export private key option. There is only "copy private key". And this function, at least for ed25519 keys (I don't use other types), doesn't work. The key you get is not an actual private key. |
Yes, you can export/copy both private and public keys, provided that the key has no password (I.e. if it is unencrypted). But it doesn't seem to me to be a very good idea to use unencrypted keys.....Also, I have no idea what is actually exported/copied. It has been suggested elsewhere that the exported/copied keys do not have the correct contents.ConnectBot should be able to export both public and private keys correctly, regardless of whether or not the keys are encrypted. And also be able to handle keys in all 4 of the formats (RSA, DSA, EC, ED25519) which are offered, or failing that, it should be clear which key formats are supported, and non-supported formats should not be offered. It shouldn't be this difficult. It's a pity really, because otherwise ConnectBot is a great piece of software which I use on an almost daily basis.....
-------- Original message --------From: Piero Toffanin ***@***.***> Date: 03/05/2023 19:53 (GMT+00:00) To: connectbot/connectbot ***@***.***> Cc: RomneyYW ***@***.***>, Comment ***@***.***> Subject: Re: [connectbot/connectbot] Export Private Keys (#968)
You can long-press and select "Change Password" and set the password to blank, then you can export the private key.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>
|
I think it's actually the intended mechanism. The app is somehow behaving like a low-cost enclave and is doing what it can to prevent accidental export or misuse of the key export mechanism. Private keys are never supposed to leave the system they originate from, and even more, moving them across platforms reflects very bad design. There are four use cases we can imagine why users try to export the keys:
Let's address each scenario in the original order:
|
My personal usecase is setting up another connection on the same device (currently using JuiceSSH to do this instead)
|
The idea that when you long-tap a key in ConnectBot and select the "Copy private key" item from the context menu that appears that it is intended behaviour that it then gives you the wrong data is ludicrous on its face.
There are innumerable use cases for access to private keys, use cases that are in very wide use in the wild, any number of them perfectly valid.
Let's not. How about you simply name another secure shell implementation anywhere that denies the user access their own private keys.
@Roan-V you don't need to justify your use case. This issue is simply a very long-standing bug in ConnectBot. My suggestion is simply to use something else other than ConnectBot to generate your key pair. ConnectBot can properly import a private key from elsewhere. It just cannot currently export one that it creates. I generate my keys with OpenSSH and then sneaker-net them onto my device with an OTG USB stick. You can reuse the same key for other apps on the device as you see fit and as your security model allows. |
Combined with an encrypted backup (e.g. seedvault in lineageos) this is actually the most useful information in this ticket. Thanks. |
After some digging, I solved the problem. The ConnectBot is actually exported the private key, but in the original ASN.1 format. OpenSSH only recognize RSA key in this format but not the new ed25519 ones. For the ed25519 keys, OpenSSH only recognize private keys in its own format. So you have to convert format by yourself. The top answer from the StackExchange offered a way to do the conversion: https://security.stackexchange.com/questions/267711 First save the copied private key in a pem file
Then use the
And now you got your private key back. |
I ran into problems trying to import a RSA key that I had generated in ConnectBot on another device and it turned out that somehow I had NULL bytes in between It might have had something to do with how I was transferring the key data, but it would be nice if ConnectBot could save the key as a file and "share" it with whatever app you want to use to transfer files. I don't know if there are license issues with using Quick Share, but it would be nice if possible. Also, it would be nice to be able to rename the imported keys in ConnectBot. Depending on where the file was I either get "primary:<path and filename>" or "msf:<ten digit number>". |
Is your feature request related to a problem? Please describe.
I'm always frustrated when..... SWITCHING PHONES. In the end I resort to removing password protection, copying private key, sending it through my email, copying on a pc to a txt file, then copying back to new phone. This is insecure and time consuming, and FRUSTRATING.
Describe the solution you'd like
Solution: Ability to backup Private keys to a .zip or similar type of file that android recognizes so I don't have to battle to get access to my servers again.
Describe alternatives you've considered
A QR code to be read by new phone would also be nice.
Additional context
It's 2021 time to make a way to backup SSH keys so it is easy to switch phones. Use the phone authentication and even 2FA with Authenticator I don't care I'm just tired of doing this every 6 months.
The text was updated successfully, but these errors were encountered: