-
Notifications
You must be signed in to change notification settings - Fork 746
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support ed25519 SSH private keys #461
Comments
What version did you use? What plugins were loaded? What format did the keys have? |
I use
This is the log output:
And this is the corresponding private key:
|
Thanks for the details. Yes, that format is currently not supported. While the OpenSSH public key format is specified in several RFCs (see here for links), the private key format seems only roughly specified here (also linked on the other page). Besides the format itself, the private key is apparently protected by bcrypt (if it's protected by a passphrase), which we currently don't implement either. So I you currently won't get around converting the private key to PKCS#8 if you can't use ssh-agent (apparently |
I see... Unfortunately I don't have much time at the moment. Otherwise I'd have a look at it. I've tested dropbear's ed25519 key converted with dropbearconvert with OpenSSH. They seem to do it right. Although their code lacks a few comments and they don't support encrypted keys this seems to be a good starting point: |
The private key portion of the base64-decoded key above is: Adding the correct PER-header:
Resulted in a working key:
@tobiasbrunner Thank you for your kind help! Seems it's just a bug in dropbear... I've tried to convert the resulting key back to dropbear format using dropbearconvert.
Counting is hard: Even without that bug they have mixed up private and public key here I guess: |
No, I was referring to the documentation of the format that mentions bcrypt (I guess there are other KDF options, but those are not documented, neither are the ciphers, so not sure what would actually get used), not your key, which was not protected (
😂
The order is correct but they don't seem to skip the public key. Because looking at the encoding, we see that after |
Which is completely unrelated because it has nothing to do with OpenSSH's private key form and signature generation on Android is implemented via Android's KeyChain API (and the stuff in |
Aaaand the issue is dead? |
@Thermi I've written a Lua script which takes care of converting it to PER format and I'm quite happy with it. Feel free to close this issue if this feature does not make sense to you. |
It would be great if one could define ed25519 SSH private keys for pubkey authentication without ssh-agent.
This is especially interesting for embedded distributions like OpenWrt or Alpine Linux where busybox/dropbear is used as default SSH client/server and ssh-agent is not available.
The text was updated successfully, but these errors were encountered: