2

I need to set up secure connection through ssh keys, prerequisites are :

  • DSA type
  • number of bits : 2048
  • Passphrase : yes

On my Linux I can't create this kind of key, the man says :

DSA keys must be exactly 1024 bits as specified by FIPS 186-2

But I found that in Putty, we can create DSA 2048 bits keys. So I tried to put my pair of keys generated by Putty in the .ssh directory of my user. That doesn't work...

Private key looks like this :

PuTTY-User-Key-File-2: ssh-dss 
Encryption: aes256-cbc 
Comment: dsa-key-20150127 
Public-Lines: 17 
xxxxxxxxxxxxx 
Private-Lines: 1
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
Private-MAC: xxxxxxxxxxxxxxxxxxxxx

I think authentication can't work with this key.

My questions are :

  • Do I need to format the layout of this key to be usable on my CentOS ? Is-it possible ?
  • If not, is there any other way to create a pair of 2048 bits DSA keys with passphrase ?

Thanks for your help and sorry for my bad english

tonio94
  • 145
  • 3
  • 8
  • 2
    Why is DSA a prerequisite? – Liczyrzepa Feb 03 '15 at 17:04
  • @Liczyrzepa Why is your question pertinent? [FIPS 186-3](http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf) specifies key sizes of 2048 and 3072. – Paul Feb 03 '15 at 19:13
  • @Paul - Because the goal is to set up a secure keyed connection, as stated in the first sentence. If RSA is acceptable (it is also FIPS compliant), then tonio94 won't have to change the SSH software on his server. It appears he is using OpenSSH, the default in CentOS. – Liczyrzepa Feb 03 '15 at 20:52
  • @tonio94 - If you turn up the verbosity on your SSH server you should be able to see if it rejects the larger sized DSA key. – Liczyrzepa Feb 03 '15 at 20:53
  • @Liczyrzepa But we know nothing else, and it does not matter because it was stated that DSA type is a requirement. – Paul Feb 03 '15 at 20:54
  • @Liczyrzepa Using a DSA type is a requirement, that's why I'm asking you about how to generate and use this kind of key. I already tried to connect using keys generated by Putty. I put them on my .ssh directory, then I changed the layout of the file to be similar to a key generated by ssh-keygen but I'm always rejected (in verbose mode -vvv it says bad passphrase, whereas the passphrase is correct). – tonio94 Feb 04 '15 at 12:13
  • In PuTTY Key Generator, are you using the Conversion -> Export OpenSSH key tool? Mine does not generate an export file that looks like the one in your question. PuTTYgen Release 0.63. However, I cannot test that the key works with OpenSSH right now. – Paul Feb 04 '15 at 20:02

1 Answers1

7

Given OpenSSH (even as current as version 6.7), you will not be able to create a 2048 bit DSA key using the ssh-keygen tool. However, you should be able to create a 2048-bit DSA key with puttygen. After you've generated your key, copy the text that appears in the text box with the heading "Public key for pasting into OpenSSH authorized_keys file:" and paste that into .ssh/authorized_keys in your user's home directory on your server. To connect using the key, you will need to have pageant running on your client, with your key loaded.

Also, pay attention to the file permissions on the ~/.ssh directory and the authorized_keys file. If they are writable by others, sshd will not use the authorized_keys file, unless the StrictModes option has been set to no.

(I can confirm this works with CentOS 6.6 and putty 0.63)

Update: To export the private key to OpenSSH format, use puttygen. Click "Conversions" and then click "Export OpenSSH Key". The file it creates is correctly formated for OpenSSH. Place that file (your secret key) on the client system and pay attention to the permissions. You may then use ssh -i [name of key file] to connect to your server.

Liczyrzepa
  • 455
  • 4
  • 13
  • Hi, Thanks for your answer. After the copy of the public key on the authorized key file, I need to save the private key from Putty on my source server too. But the layout of the file is strange, like I said in my first post. And there is only one line for the private key... I don't understand why.. About using pageant, it is only made for Windows. – tonio94 Feb 04 '15 at 12:02
  • Glad to help :^) – Liczyrzepa Feb 06 '15 at 15:02