10

I manage a virtual office and our staff uses both SSH keys and passwords for authentication. If one of our staff forgets his password, is there a way to encrypt a temporary password using his public RSA ssh key so I can send it to him via e-mail?

I've seen other questions related to this one, however the "answers" generally recommend against using the public/private SSH keys to perform general encryption/decryption and do not actually state if this is possible. I would like to know if it is indeed possible and what are the steps to encrypt and then decrypt the password.

David M. Syzdek
  • 338
  • 2
  • 12

4 Answers4

9

I finally found how to convert an OpenSSH public key to PEM format on a blog and was able to successfully encrypt and decrypt a string using my private/public key.

I've outlined the steps I used to perform the encryption and decryption.

To encrypt a string:

# convert public key to PEM format
ssh-keygen -f ~/.ssh/id_rsa.pub -e -m PKCS8  > ~/.ssh/id_rsa.pub.pem

# encrypt string using public key
echo "String to Encrypt" \
   | openssl rsautl -pubin -inkey ~/.ssh/id_rsa.pub.pem -encrypt -pkcs \
   | openssl enc -base64 \
   > string.txt

To decrypt a string (from file):

openssl enc -base64 -d -in string.txt \
    | openssl rsautl -inkey ~/.ssh/id_rsa -decrypt

Since my goal is to e-mail the password, I've written an extremely basic script to automate things a bit:

#!/bin/sh
if test "x${1}" == "x";then
   echo "Usage: ${0} <username>"
   exit 1
fi
SSHUSER=${1}
printf "Enter Password: "
read PASS1
echo ""
echo ""
ssh-keygen -f /home/${SSHUSER}/.ssh/id_rsa.pub -e -m PKCS8 \
    > /tmp/ssh-pubkey-${SSHUSER}.pem
echo 'cat << EOF |openssl enc -base64 -d |openssl rsautl -inkey ~/.ssh/id_rsa -decrypt'
echo "New Password: ${PASS1}" \
   | openssl rsautl -pubin -inkey /tmp/ssh-pubkey-${SSHUSER}.pem -encrypt -pkcs \
   | openssl enc -base64
echo "EOF"
echo ""
rm -f /tmp/ssh-pubkey-${SSHUSER}.pem

I can then send the output of the script in an e-mail for the user to decrypt.

The complete script is available on Github: https://gist.github.com/3078682

David M. Syzdek
  • 338
  • 2
  • 12
4

It is possible since it's just an RSA key. Use openssl:

openssl rsautl -encrypt -inkey alice.pub >message.encrypted

I nicked this of this question on Unix/Linux SE.

I must say that PGP is more suitable for this.

Community
  • 1
Lucas Kauffman
  • 16,880
  • 9
  • 58
  • 93
  • 1
    The problem is that the SSH public key is not in a format which OpenSSL recognizes. I needed to know how to convert the key to something that could then be used by a toolkit such as OpenSSL. – David M. Syzdek Jul 09 '12 at 19:12
1

In general, yes this is possible. All SHH does is generate a Modulus N and two keys e (the public key) and d (the private one). The mechanism employed is usually RSA or DSA and the Keys generated can be used for encryption. All you'd have to do is extract them from the base64 blob that is the public key and then use a suitable program to encrypt data with these keys. You might be interested in Monkeysphere which can transfer between ssh key format and gnupg keys. This should allow you also to use the keys for encryption.

someone
  • 11
  • 1
0

Normally one does not do 'bulk encryption' with assymetric keys. But that doesn't matter since you should not be dealing with that level of details. Use a toolkit (openssl is a fine one http://www.openssl.org/docs/apps/openssl.html) to do the work for you. What you want to do is create an encrypted message containing the new temporary password and specify the user's key-pair as the recipient. Examples galore on this page: http://www.openssl.org/docs/apps/smime.html

Ram
  • 612
  • 3
  • 10