Thursday, September 17, 2009

OpenSSH and SSH.COM Key generation - Some Concerns...

Where I work some people use a very old commercial SSH Client - Its from circa 2002 and its really not that great.  So we're switching to key based auth -- This brings some problems about.  Some of my users will be using this antiquated client which generates some ugly keys. I'd prefer everything be openssh based. So, I found some information about this on someones blog, and I decided I would share it here on my blog, and leave it here for my reference as well as yours! Happy converting.
--

Connecting two server running different type of SSH can be nightmare if you does not know how to convert the key. In this tutorial, I will try to explain on how to convert the public key from OpenSSH to SSH2 and SSH2 to OpenSSH. To convert the key, it must be done in OpenSSH server.
Convert OpenSSH key to SSH2 key
  • Run the OpenSSH version of ssh-keygen on your OpenSSH public key to convert it into the format needed by SSH2 on the remote machine. This must be done on the system running OpenSSH.
    #ssh-keygen -e -f ~/.ssh/id_dsa.pub > ~/.ssh/id_dsa_ssh2.pub
Convert SSH2 key to OpenSSH key
  • Run the OpenSSH version of ssh-keygen on your ssh2 public key to convert it into the format needed by OpenSSH. This needs to be done on the system running OpenSSH.
    #ssh-keygen -i -f ~/.ssh/id_dsa_1024_a.pub > ~/.ssh/id_dsa_1024_a_openssh.pub
Steps involved to produce and convert the keys.
OpenSSH
To generate an OpenSSH sshv2 key
$ ssh-keygen -t dsa -f newkey
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in newkey.
Your public key has been saved in newkey.pub.
The key fingerprint is:
c6:db:3a:ff:4c:79:a7:d8:cb:be:82:e8:9d:db:8c:e9 brad@eta
To export to ssh.com
$ ssh-keygen -e -f newkey.pub
—- BEGIN SSH2 PUBLIC KEY —-
Comment: “1024-bit DSA, converted from OpenSSH by brad@eta”
AAAAB3NzaC1kc3MAAACBAJ7QKkrLoOE9TNPVmKVedk1GAr/S+Cruq3/GtjRnxvJqbBbfne
lWYUC+vbHc5a+7bgRsQfCgoCeGKH5wGD4CDWQMhy2XYomnGf1gUC86Hq77/Noqa02N441E
FSTIEoNlU2aYi8zwVQKlgP6e22mG9sK7zSaGX639ctaigHuST8qPAAAAFQC2az8dfxHkkD
ZAEw+RcvRn3cpXFQAAAIEAgYpPs6d+Kyw37ZaBarlMEaZoEfrxhUZ44SN+KoqBZYpSVwyH
J+/RB0zVUizXCmZ5RhYSsYZ57Iixx1bBmBxogaEh5d7xxUpg/9Xctf94Jsf7vxccjZ4XYA
RrVikq/0L9fuKOmo4ET9iAf+GL7w2u5gzxxZr+xX5jw/A7907lOCwAAACAMoHHk0o1XkG+
yeaPtuwbrHshGqTjpOUkJ/AYuQ8OBuVAOdqse1di9JpeHko26G0zoH3N+nDHMGdYYTNHzR
NYRd2q20ztcAP52crZo1rtpNdvs6c+RTEIgoP3oYh1e1+rg70tWKIW3R/NYB39CESHoyqs
AJ7vzOPm0iUOd36YECY=
—- END SSH2 PUBLIC KEY —-
SSH
To generate a key:
$ ssh-keygen
Generating 2048-bit dsa key pair
1 oOo.oO
Key generated.
2048-bit dsa, marshalb@obelix.cqu.edu.au, Tue Jul 15 2003 13:53:34 +1000
Passphrase :
Again      :
Private key saved to /usr/users/staff/m/marshalb/.ssh2/id_dsa_2048_b
Public key saved to /usr/users/staff/m/marshalb/.ssh2/id_dsa_2048_b.pub
To convert from ssh.com to OpenSSH (using OpenSSH ssh-keygen):
$ ssh-keygen -i -f id_dsa_2048_b.pub
ssh-dss AAAAB3NzaC1kc3MAAAEBAKueha6mfr5OUcscc88lmQUBBgYSZ08htHFaYzke2N
5WG6ql1NgwQsyY2mMRxvvGckBeInx2GvRlz1+izDs5p4UGhkMzG8qOoT2y2vLwTFQyxi4I
XET1e0E8VYC0dcLfs5Zg6RxEY7GA5FiydS6dceuPnLJgCYDfyb9Qbk4rVEvREODo8dV/KR
lZxecEgaeKOO7ZnEzaIVPRCVb6U6EaRtZvxKfGnNFI957AfZ+Hqevz1IeQNDCp00EmaNli
8Ow4rjOPlH7o818r35Ea8mMoV0hkirNQ25zf/Z1LvCS3649537YDi/SVmMMpGCvT93w/TR
vk5RKlwVVy+TH52C8/MKEAAAAVAOuDCV61LvfKz0bd8hYEJ/gGof9XAAABAQCFRhlpWtVO
hTxcWcrnZp9EbbVRZO16St5TPjL86khb7b/VjScOAgt0tslHwtEEQzImv1xRkk6ZQ1o9pv
Azb1fMZrZMGIy9zUXvL0v6LNXxCxN9YIjx14OXYfH8EIQDZJGRJoxHvEvUVjv3lHnTuxbd
Krcbagvakxvgjq1wVyEueilO+g+WhJm+Q+XIYRl0TK9qtsAVFmzxBxT5USZFJ+1kbG7ipp
fFSGWRd3KPUCVQ8iGO3IMjtIlfcuGOArbKB06kMlxsdjNjhcEIHtR0jpaEeB2X+HrVScQE
oXG4S8YkiIExlIvjhrVr571BTOuO9H5VHt4CtKUxeXxKZWslulYwAAABAHm3zlMsXxPL/H
Oq29qf7Lk90b7El+j19E2UkyssfSu6+/k4bFf6ax2n3yEn31S5bUdNvgqmlEjdERc4SkU6
5b5LW2ZI1v7kRoegG+bD2Q21N9Rv/lwS7CTprenKiMMRJ8TU7FMIVT3zEZkV+etC7cbaN+
09GoiFTt+h7IDmo7onlo64oSMrcc+xt++ZUzENTVBgDoS92jlpnELkyJqZgb1/fdEPT6wR
j132yBxWLqDGmbp9msmY1us+XNDY8isF80u9yTTXGTskOtCSaeavDDtPOKN5ZR20sHpIBg
t6zd6mm/zKD6OZo14BLSJr7ldwSRzNNYMtkLnNyFSYxAIrm9Y=
You can then use the output in authorized_keys file on an openssh box.
OpenSSH v2 -> SSH v2
On the OpenSSH box, create a DSA key via the following:
$ ssh-keygen -t dsa
Export the key into ssh.com v2 format:
$ ssh-keygen -e -f ~/.ssh/id_dsa.pub > newPubKey
Copy the converted ssh key to the ssh.com server
$ scp newPubKey server:.ssh2/id_dsa.pub
On the server, tell the ssh.com server that the public key is allowed:
echo “Key id_dsa.pub” >> ~/.ssh2/authorization
SSH v2 -> OpenSSH v2
On the ssh.com box, generate a DSA key:
$ ssh-keygen
Copy the generated key to the openssh box:
$ scp ~/.ssh2/id_dsa_1024_a.pub server:.ssh
Convert the public key to openssh format and append to authorized_keys:
$ ssh-keygen -i -f id_dsa_1024_a.pub >> ~/.ssh/authorized_keys
On the ssh.com box setup the private key:
$ echo “IdKey id_dsa_1024_a” >> ~/.ssh2/identification
SSH v2 -> SSH v2
On the ssh.com client, generate a DSA key:
$ ssh-keygen
Copy the generated key to the server:
$ scp ~/.ssh2/id_dsa_1024_a.pub server:.ssh2
On the server, tell the ssh.com server that the public key is allowed:
$ echo “Key id_dsa._1024_a.pub” >> ~/.ssh2/authorization
On the ssh.com client setup the private key:
$ echo “IdKey id_dsa_1024_a” >> ~/.ssh2/identification
OpenSSH v2 -> OpenSSH v2
On the OpenSSH box, create a DSA key via the following:
$ ssh-keygen -t dsa
Copy the ssh key to the server
$ scp ~/.ssh/id_dsa.pub server:.ssh/id_dsa.pub
Add the key to the authorized_keys file on the server
$ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys

No comments:

Post a Comment