0

I have my server host key(private key) in Openssl format that i want to use for server authentication. I prefer to use the trust model that client local database should associates each host name with the corresponding public host key. Since openssl format key is not supported in openssh architecture, i am looking a solution that should convert my openssl format private key to openssh format private key. Appreciate any help to resolve this problem

  • 4
    This is not a security question... learn what type of files OpenSSH supports and how to configure OpenSSH to use the different files. (your assumption thatOpen SSH can not use other formats is false. it might require conversion though) – LvB Jun 24 '19 at 15:08

1 Answers1

2

Not really an answer but too long to be readable as comments.

It is not clear if you are asking about the private key or public key.

OpenSSH does support all 8 (*) PEM formats for private key used by OpenSSL. In fact historically (since v1 became obsolete) it generated only the 6 OpenSSL 'traditional' formats but could also read the 2 PKCS8 formats; since 6.5 in 2014 it supports an OpenSSH-defined (and not OpenSSL-compatible) 'new' format but by default used this default only for Ed25519, keeping OpenSSL formats for RSA DSA ECDSA; and since 7.8 in 2018 it defaults to 'new' for all key types but still can generate or convert to OpenSSL (except for Ed25519); see Converting keys between openssl and openssh and several more linked there. (*) Since 7.0 in 2015 OpenSSH by default doesn't use DSA auth keys in protocol, unless you manually enable them (at both ends); there are existing Qs about this, IIRC on several Stacks. But it still supports generating, converting, and otherwise manipulating DSA key files, even if those files are mostly useless.

OpenSSH's public key formats are different from OpenSSL's, but starting from the private key file you can just use ssh-keygen -y to create the OpenSSH-format pubkey; this is documented on the man page. Also since at latest 6.0 in 2012 ssh-keygen -i -m pkcs8 (although inaccurately named) can convert from what OpenSSL calls 'PUBKEY' format (which is actually X.509 SubjectPublicKeyInfo) to OpenSSH format. Only if you need to convert an OpenSSL publickey to OpenSSH format without using OpenSSH is it difficult, and there are Qs on that, mostly on stackoverflow (since it is actually nontrivial).

dave_thompson_085
  • 3,262
  • 1
  • 16
  • 16