Why can't openssl read an ssh private key created by openssh on OSX

Question

Here is a test script I am using to help debug an issue with openssl &/or ssh on OSX Mojave 10.14.5 with brew installed versions of openssl and openssh

> brew info openssh | head -1
stable 8.0p1 (bottled)
> brew info openssl | head -1
stable 1.0.2r (bottled) [keg-only]
> ssh -V
OpenSSH_7.9p1, LibreSSL 2.7.3
> openssl version
LibreSSL 2.6.5
> ! test -f /tmp/foo || rm /tmp/foo && 
  ssh-keygen -f /tmp/foo -t rsa -P "" -N "" && 
  openssl rsa -in /tmp/foo 
Generating public/private rsa key pair.
Your identification has been saved in /tmp/foo.
Your public key has been saved in /tmp/foo.pub.
The key fingerprint is:
SHA256:iZMoPkGh4wkPvMOfV5KSEVFOLc9Dc8zmBvbhdE4d+Rs jon_upowr@greywedge3.lan
The key's randomart image is:
+---[RSA 2048]----+
|  .ooo. o   ..o  |
|.. .+. * B o o   |
|=... .* X =   .  |
|+=o o..* * .   E |
| *+o.o+.S       o|
| .ooo o.       . |
|  oo .           |
|   ..            |
|                 |
+----[SHA256]-----+
unable to load Private Key
4643780204:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/pem/pem_lib.c:683:Expecting: ANY PRIVATE KEY

The key is similar to this (no, this is not a key I will use):

Replacing OPENSSH with RSA in the generated private key has no effect on the success of the exercise.

If I try the same sequence of operations on a debian docker image, the key generated by ssh can successfully read by openssl running on the same platform.

Is my expectation that this would also work on OSX unreasonable? If so, what's gone wrong?

edit: I had a spurious -o option in the example which I have now removed.

I'm not sure what you're asking, but openssl cannot read SSH private keys in that format. — President James K. Polk, Jun 06 '19 at 17:50
But it seems that it can on Linux, why not on OSX? Is there a way for me to convert the SSH private key into one that can be read by openssl? — jonseymour, Jun 07 '19 at 04:26
Ok, I see the difference now, the linux version of ssh-keygen is generating true RSA private keys, whereas the OSX version is generating OPENSSH private keys. The question now becomes, how do I get the OSX ssh-keygen behave like the Linux version? — jonseymour, Jun 07 '19 at 04:36
The answer to which is provided here https://serverfault.com/a/941893/113948 — jonseymour, Jun 07 '19 at 04:39

jonseymour · Answer 1 · 2019-06-07T04:56:37.307

19

The problem was that the default behaviour of ssh-keygen on OSX Mojave now differs from that on Linux. In particular, ssh-keygen will produce OPENSSH private keys by default on OSX but RSA private keys by default on Linux.

The same behaviour can be guaranteed in both environments by adding -m PEM to the ssh-keygen arguments.

Thanks to James K Polk for guiding me in the correct direction and also this answer.

edited Jun 07 '19 at 04:56

answered Jun 07 '19 at 04:45

jonseymour

1,006
1
12
22

For example `sudo ssh-keygen -m PEM -f server.key` – Eugene Apr 06 '21 at 14:59
This happend to me on ubuntu20.04. out of the blue the same `ssh-keygen` command has changed it's behaviour. `-m PEM` indeed solved the problem. – Kingindanord Jun 23 '21 at 23:02

Why can't openssl read an ssh private key created by openssh on OSX

1 Answers1