can't load keys with passphrase

[terinjokes]

This extension can't load keys protected with a passphrase as generated by ssh-keygen, which contain no block headers.

[ralimi]

Would it be possible to provide the ssh-keygen command you are using?

I tried the following to generate a key, and I could successfully load it into the extension:

$ ssh-keygen -N passphrase -f mykey_rsa
Generating public/private rsa key pair.
Your identification has been saved in mykey_rsa.
Your public key has been saved in mykey_rsa.pub.
The key fingerprint is:
SHA256:dnvPfIpslKjRiXyKJXbFTNh8xRqsV3++kZmYBF4nVnE ralimi@workstation
The key's randomart image is:
+---[RSA 2048]----+
|         + . oooE|
|        . +.++o..|
|         +.o++o. |
|          =.o.  o|
|       .S+.+..o.=|
|      o.*.=.oo =.|
|     . = =...   o|
|      . o  o.= ..|
|           .o =o |
+----[SHA256]-----+
$ cat mykey_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,5B3781F56083FAF585A4BE6B1D1BC4D5

ICv1gSIulmRjFSqV6rSDDtjBCUarSUW6bdCMTW9e8byHBBWc2OsOo/1KJyMmTbA7
yUzptRZFf3n03Yt8lMwd3rhGiKSLEo8LO8OxR9WpOovPwqR2nr29oSQIfI5SOxeM
WTjsxIZCntb4ibcNp0BvFRYGGjMpviF1p+PrJxTuyDX+InXlTgiHxn0DIsQB7dXV
9CCdYmv1Ozzr4LPKpSoGdsc8OFDZu4cSZoKLLoWOzmQG+IoEJ2r/RSLzg8hQx+Be
O08onNk5kIvcdpBzfcZT0bZgnCTVy/PUOoKGIe4fBLGxACeCIBV/p9BRWUZO9YCx
3q0wVRiFHfMq6iNPEwHbq0vGBqIh3EaFua/6UW4LmeAjRqymV3PMHoaUn0W7PZKK
WGombmtTo4zvHDRXjxLf9RRQQHHfrH9Yy6lQeixeb0gz9GoWIKK/Dc/5hg8295hB
/75ZspI/+bC3B7SG6hWLT6JJFkSJ0bBHn0sgRewXKGdFIs5KiBkNESjlYJypqYBF
05+qtMXhHffsd5WwqHHhZZWBYREbZLlkQ04El3RNQpGFleuz6BsuFqSZIM43ijbE
L6vZ1TVB8kvHDXd5m0qV0oqXiUFu7sjE5vsWoD7q+DE1OGhm7ej01oOzkLAy6u8+
fcJl9Hd9j6T3vLbub5jt2WtEs+ZT5c8D1Vakzr8BnmgmjupQuPBvjfd5KyCQLZzx
MFmPAFifVf93DIgC+9J7d68Yop3PEh5I88Gr2Q5dYKwgQ0O6w4LVn673yuAQkaLF
V5/VBkeT1kY+JlEP2sHQAz7AZ/CjST0QckzuMiYQXpCcidiNOmjnJEnTp/BT//Db
0X83SO/LEiezTcHNeC/3opfymRYV3+CwnjUEnYJuEUHe4ENPzeLDrZmCo5qo+9lg
4AM7YmSBcgATSg1S8fz7eDkGNtaxIas4qww5laaPwD+RWU6LJlJeV/WAPKp0kL32
mt2usWaxVd7X0OdSF6cQTZJ2ypGr5/qguXnaEaEnofv62cFG5PQy0ZLpy0o1QUv5
0L33GuO0mVjxRS4LV5Y0dln7ZGm2RgYC5cQ6DsFwt68K3Udfa8U2RmYkOzs0hy51
o/zNIiptbZOD77ggPdZ63ujdTbRFr6sn4ArSIY7y8nKgV13R4VW9MvBeX1ivyL6r
r01r/HLymxSo2YMP9StH1k9KEcVKRXMImwfJI0Ozk1neZndAHJP97mvJqcRnVvOh
O7xyX1E+I3bM021QWTMWzPa6Bi/UY99uwFGx0XX05xBfK5GluTQibr4AXQ9Dp/4H
not5BkVDVsgWRlVFRCh0N+YHNcaE5HnFjkArILdD865RaHzLGgT77yQ4AZUMazrS
U+TL2daBrzu2BsoTc5wr5ANxu01l8IQQ2Falp91k1JYcf9WYZrLhLQhFptegoaDS
ZAs0GzQJXxY5DNclWP1r+ReD7PgssFwR+1foLQYTE906UlvgDEG3+QRUQNmI7Qag
pRH1mh+nrZ6BmwM1faItzjVW/EQXVqpPxRSbjexyj4JQ3lqFh+G4cStqQB//wdSN
AdqaUAn5zzW/s3Gyja8JhULdvVkT5Yhy4jwPz+8fpqHI3TQeEp7xsYgmfrUS7Fg5
-----END RSA PRIVATE KEY-----
$ cat mykey_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbzwSRbboqZOOWuaQqWOZrLGvgNoRg4utcYbPXMtEmTQjegzpOkNqdSrjPYX5bcs6WUTE4UoBtxAMo2D9GoomaNmbEh2JRH46G5O7z/+XeMuKAXRqYJeXW0xKXuypA+68btNoKsDFkn5ofph/++5sHoXXLRvSpqb+tP/RYvr3BlyRUrWS+vuBvEkIR1N6iA8UtsTm5nVGrxITkdpE9fty00lqjNWgtFYdLIpjz9E1LBCREVd6Nq4uGrv2NTyAVa/md0VlHc11FHXjqi0F/Wz/eqrymbaR7xkQd5g4h17UkN2x5If1/e4t4R573e9pIOMzre3lDaJLCw63rikQAnb9f ralimi@workstation

[iamhsa]

@ralimi : I think I have more clues on that.
As I have sometimes the error message below, on loading keys with passphrase

failed to load key: failed to parse private key: ssh: cannot decode encrypted private keys

I made some tests.

Indeed your command work well
$ ssh-keygen -N passphrase -f mykey_rsa

But sometimes I have space in my passphrases, so I do :

$ ssh-keygen -N "pass phrase" -f mykey_rsa
$ # or
$ ssh-keygen -N 'pass phrase' -f mykey_rsa
$ # or 
$ ssh-keygen -f mykey_rsa # and passphrase interactively entered

And in these cases I always have the error message (when I load the key)

failed to load key: failed to parse private key: ssh: cannot decode encrypted private keys

Hope this will help.

[ralimi]

I tried this locally, but I'm not able to reproduce. Here's what I've done:

$ ssh-keygen -N "pass phrase" -f mykey_rsa
Generating public/private rsa key pair.
Your identification has been saved in mykey_rsa.
Your public key has been saved in mykey_rsa.pub.
The key fingerprint is:
SHA256:Kx57CNnTEJW+opjMMLXNL9joiz2TXGKXResxSDhcvRM ralimi@workstation
The key's randomart image is:
+---[RSA 2048]----+
| . o.. ...       |
|  + . E .        |
|   o o *         |
|  . . O .        |
| . + * *S.       |
|o + O = o.       |
| B @ +o+.        |
| o% +.o+.        |
|..++ .o.         |
+----[SHA256]-----+
$ cat mykey_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,330984463FF3487964A4C041098CE49C

0OTg9CLoYkFGFU54H4d548GIvGTEJ8Gtup7ss7TQKov0fd3tCSFCeBs8Ui1JyWrK
7Rz313Xh0lMKlUECjaloEzmE8Hqp3f5xNXOniPYCg6Qj01kur9D3Jxn7io6oVhrx
spo+JgC2Vqtgn+S96fPxhZ754XfiNk4VVgAlUvorZ1mAg7q8yxSmu+7w8E0KHh/0
SiEsIgsO7wypSvZYAuCqv+jLqON5nP3BN9pOq5Z8+oElsfRr+dVHcVRFSJgAGYNK
eApSVr4cX/x70mCpvaFzjrNzoYAbtpIxQd087fdamZE/AvQ6859wJsJg7rCUSKw2
tfxENIV2aXSOYrDTMxdxZe2pOPn/lOLw9uaZr2Yx8qb8uSz/YzrYEEMc8Jj2ZAYC
VC747/Uk3LoqaaunVXWqVadZem9/3QXKLhiY/l6AAwVbGhzyMnwOuK0iOQ389/BF
WzvvKNaglsAOizZHpXYQRZfmaCB+z1ypC0e7vv48YuttoO4BviTiQa4magPnQBKp
fbf5JT7S2HmV2LbdyyUgpWyJUxlfoTKNoxAN6kobn6VwNn6elyW2ZBQyupRduWyh
GC9PdHlmgncKIN2srBD27Dn1QuER9ucd0ZxTKu1YwGT3htQEm27pmBPYruIHeZos
eCxxRIC1M5EOHVHxYDDOsxggrQPOW2FAOLN37qWdhvS5N6Yvg/OXkWwytjw5l9U8
v2jq6RO5uiXDdEp0QJBfL212Zkw/RG2NnEJTiIaAvganekAKWvAXfIF1P64roLCM
xFMYmwp1q1iQyS+NeZKO+5JEUJZti/vHWHUXllubaGFAO5pgD1lOW7eUezIgeXg4
l16dknkGLTrMKbLpTclj3MPvbLAUAn2wmLfgH3LbCnizIvWtYCSD1WjuD7gpRFbc
/TCGNfjNn1jFciC6RyJqgVAuaGNzHMSZPxRCBlsexAkwLfl0FndBHa9yZeDCJ4DP
Booh8a2IwGYcT0hnlEgMDdKu/bAZNYgaAniP+JNs5Z0bvHqa3dQ9E+G5JCv5VRLg
umqYtTdXSF+l83uy/DOjz+mlQj5SFNWHroDDxo5txciB27SA4BSrASIO9kjZEIa9
HCRiIEJ4S+xtilWzZpysXoAtgHjL2JrEkSA9Cqta1xC9kqddsjabTAUJ8k1RyOgk
S1GpKjxDYu5jy8IaRJ8eimJzXP3irlsf1SNnQgAG6COSXzSHuWmnEVPDz5taLrcu
j2yVP2KiXYJlN6W0w/GMfuQav8KLklreXGT6i+ZuyW2+deM5F4J18iRxMk8/RnRH
AYDmE4MtbVApU/j+iqTm/D3F0uQWRzgoSTPd/2u7VizmyFKXPWNMIvYtFyJNeQXJ
6R5pjaYXqzBF97D2/4YCddToCFtTfok1PF247VyyOmzeswlAJ0QcYLtPKKqY8Cdt
N3mYrG9m/wCHWPYn9XVjP6XyyfPjtujTBCzAk3zYItsO1ItezwovkWl2otlmLhsI
ttXb/YG6VtjasZm0ePk8sfpAwzrNET8xdQjDdTbG9h9wnJDQiC5cFyWBHoLa/tVO
Dop2lb0sp7IKV6hrVG2V1vlaT2knoLB5bF0Y7yhYyhUEZS0X8oewoWBJ2IFP7sLB
-----END RSA PRIVATE KEY-----
$ cat mykey_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFnflk08cgrUK/4O7V5FbIHlaqfdVJzvEnkP7HtJ/IGYralJtHik+YMgblHnGNh2KJoCNMcdDlsZyrKjLf7BTC/GXu5T8z7bVRBgSvPSXDKscwpxceaRcl75pMSyK6An0/ZH1UfC8qusmjzvudYP9WqwB78rKQGL36XuRK2mksL3P5i+QnGi+Clcp5ajV7Z65IpZmw6bXccwzQUcRTfl8phafsEL+C39XRBeBXq8ml8Im6TjdK9M1ALi6vNVMgywKkjweU82jhboQxCmDSAsE10a4dTkmpos/EK2k6QnFrM1qC6+id4Bwa7eTzkfUWUdw5A/2kxHi4wTaf15LlqErj ralimi@workstation

Then, I created a new key in the agent and pasted in the contents of mykey_rsa. I was then able to successfully load the key by typing in "pass phrase".

Would it perhaps be possible to generate a test key that fails to load on your computer and paste it here, along with the passphrase?

[terinjokes]

Proc-Type: 4,ENCRYPTED

We must be using different releases of ssh-keygen, as none of the keys I've ever generated (with passphrase or not) include this header. I'm away from my computer now, but I can generate pair (and give you the ssh-keygen release I'm using) in my morning.

…

On Fri, Nov 16, 2018, 10:12 PM ralimi ***@***.*** wrote: I tried this locally, but I'm not able to reproduce. Here's what I've done: ` $ ssh-keygen -N "pass phrase" -f mykey_rsa Generating public/private rsa key pair. Your identification has been saved in mykey_rsa. Your public key has been saved in mykey_rsa.pub. The key fingerprint is: SHA256:Kx57CNnTEJW+opjMMLXNL9joiz2TXGKXResxSDhcvRM ***@***.*** The key's randomart image is: +---[RSA 2048]----+ | . o.. ... | | + . E . | | o o * | | . . O . | | . + * *S. | |o + O = o. | | B @ +o+. | | o% +.o+. | |..++ .o. | +----[SHA256]-----+ $ cat mykey_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,330984463FF3487964A4C041098CE49C 0OTg9CLoYkFGFU54H4d548GIvGTEJ8Gtup7ss7TQKov0fd3tCSFCeBs8Ui1JyWrK 7Rz313Xh0lMKlUECjaloEzmE8Hqp3f5xNXOniPYCg6Qj01kur9D3Jxn7io6oVhrx spo+JgC2Vqtgn+S96fPxhZ754XfiNk4VVgAlUvorZ1mAg7q8yxSmu+7w8E0KHh/0 SiEsIgsO7wypSvZYAuCqv+jLqON5nP3BN9pOq5Z8+oElsfRr+dVHcVRFSJgAGYNK eApSVr4cX/x70mCpvaFzjrNzoYAbtpIxQd087fdamZE/AvQ6859wJsJg7rCUSKw2 tfxENIV2aXSOYrDTMxdxZe2pOPn/lOLw9uaZr2Yx8qb8uSz/YzrYEEMc8Jj2ZAYC VC747/Uk3LoqaaunVXWqVadZem9/3QXKLhiY/l6AAwVbGhzyMnwOuK0iOQ389/BF WzvvKNaglsAOizZHpXYQRZfmaCB+z1ypC0e7vv48YuttoO4BviTiQa4magPnQBKp fbf5JT7S2HmV2LbdyyUgpWyJUxlfoTKNoxAN6kobn6VwNn6elyW2ZBQyupRduWyh GC9PdHlmgncKIN2srBD27Dn1QuER9ucd0ZxTKu1YwGT3htQEm27pmBPYruIHeZos eCxxRIC1M5EOHVHxYDDOsxggrQPOW2FAOLN37qWdhvS5N6Yvg/OXkWwytjw5l9U8 v2jq6RO5uiXDdEp0QJBfL212Zkw/RG2NnEJTiIaAvganekAKWvAXfIF1P64roLCM xFMYmwp1q1iQyS+NeZKO+5JEUJZti/vHWHUXllubaGFAO5pgD1lOW7eUezIgeXg4 l16dknkGLTrMKbLpTclj3MPvbLAUAn2wmLfgH3LbCnizIvWtYCSD1WjuD7gpRFbc /TCGNfjNn1jFciC6RyJqgVAuaGNzHMSZPxRCBlsexAkwLfl0FndBHa9yZeDCJ4DP Booh8a2IwGYcT0hnlEgMDdKu/bAZNYgaAniP+JNs5Z0bvHqa3dQ9E+G5JCv5VRLg umqYtTdXSF+l83uy/DOjz+mlQj5SFNWHroDDxo5txciB27SA4BSrASIO9kjZEIa9 HCRiIEJ4S+xtilWzZpysXoAtgHjL2JrEkSA9Cqta1xC9kqddsjabTAUJ8k1RyOgk S1GpKjxDYu5jy8IaRJ8eimJzXP3irlsf1SNnQgAG6COSXzSHuWmnEVPDz5taLrcu j2yVP2KiXYJlN6W0w/GMfuQav8KLklreXGT6i+ZuyW2+deM5F4J18iRxMk8/RnRH AYDmE4MtbVApU/j+iqTm/D3F0uQWRzgoSTPd/2u7VizmyFKXPWNMIvYtFyJNeQXJ 6R5pjaYXqzBF97D2/4YCddToCFtTfok1PF247VyyOmzeswlAJ0QcYLtPKKqY8Cdt N3mYrG9m/wCHWPYn9XVjP6XyyfPjtujTBCzAk3zYItsO1ItezwovkWl2otlmLhsI ttXb/YG6VtjasZm0ePk8sfpAwzrNET8xdQjDdTbG9h9wnJDQiC5cFyWBHoLa/tVO Dop2lb0sp7IKV6hrVG2V1vlaT2knoLB5bF0Y7yhYyhUEZS0X8oewoWBJ2IFP7sLB -----END RSA PRIVATE KEY----- $ cat mykey_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFnflk08cgrUK/4O7V5FbIHlaqfdVJzvEnkP7HtJ/IGYralJtHik+YMgblHnGNh2KJoCNMcdDlsZyrKjLf7BTC/GXu5T8z7bVRBgSvPSXDKscwpxceaRcl75pMSyK6An0/ZH1UfC8qusmjzvudYP9WqwB78rKQGL36XuRK2mksL3P5i+QnGi+Clcp5ajV7Z65IpZmw6bXccwzQUcRTfl8phafsEL+C39XRBeBXq8ml8Im6TjdK9M1ALi6vNVMgywKkjweU82jhboQxCmDSAsE10a4dTkmpos/EK2k6QnFrM1qC6+id4Bwa7eTzkfUWUdw5A/2kxHi4wTaf15LlqErj ***@***.*** ` Then, I created a new key in the agent and pasted in the contents of mykey_rsa. I was then able to successfully load the key by typing in "pass phrase". Would it perhaps be possible to generate a test key that fails to load on your computer and paste it here, along with the passphrase? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#7 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAQsZdnqXfOoihaF8wJL2QDunPEbkdMoks5uv6jWgaJpZM4WT4wG> .

[iamhsa]

I think you are right with the ssh-keygen version (or its dependencies) as I mainly use ArchLinux. Version used to make test : openssh 7.9p1-1

I am also far away from any computer today. I will be able to paste a key tomorrow.

[iamhsa]

Here a key, I can't load in chrome-ssh-agent

$ ssh-keygen -f mykey.passphrase_rsa -N passphrase 
Generating public/private rsa key pair.
Your identification has been saved in mykey.rfc4716_passphrase_rsa.
Your public key has been saved in mykey.rfc4716_passphrase_rsa.pub.
The key fingerprint is:
SHA256:vh72TfwkShyWnXeHP+ybnGBY3ZvYqIkNAdWOYmP3Cew hug0@noname1
The key's randomart image is:
+---[RSA 2048]----+
|         ..      |
|        .  .     |
|       .. o      |
|       =.= + ....|
|      o S.* +.o.+|
|       . E.=o.=o+|
|        +.o.+=.*.|
|       . =+++++ +|
|       .o.o+. .*.|
+----[SHA256]-----+

$ cat mykey.passphrase_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABA1weknEw
GGaxwzLeAQXhTpAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQCrolNZTsy7
1rJfvE/hmOFKyJF9B5+ANTB3og/Z7VSDleivceusnmVIdA+GeTcAjbaHuj9vUsGEW5bqN3
SqBRIOsQkpSMN6DHx1ViFo5wkASF+B0HNAzCAJ83e8hYuNGvJqXWgiyhSM6TdCX3ahqfDP
YZb/wPJm+ulFohBVAOJk1FV1HnKRjeIw0kNcR98kB82QhYmlP2rF5iuolKznK8CZ+IvzQE
SnVz1gJudXO/OxIMijZFrzAuembXkgK7P/eRJCa2Db07gkqVi5XyX0EHYcgMMNrv2nphpe
LYEetFJOZKY7d+2GAhN50wJi9fbra41Sl3u3KmTE+ISchCaDyhg3AAAD0NXR7n8v/5kiJT
Z4CNnFzF32zuKJpn7o3q6sD/Kt9/OWRKBCSPXgdQbxR9Tt2Dmv6RtAW7EUAG/OoM2X7idW
iIA/FYNNEQsY0FaLV70N/tjyBKnJORk/Hac7ATP2w/b6ChBSzV3BKR0arVfDIej5+zpPkH
bLnEh8WvTxMPrVtZg+GfE91ku5pJFcslgPNJ3rRiEI5vWZJ23Jft4K4rVXXNTfpqIJDdkz
uagHqoNPIuszzwTVonR3xhRzIlvm23LpV5RbPrjq6HbQm9WUtzdJx9GlY0otWRosJ11W4y
0YZHY+te+3S496IBXLcpp+SX4O0tBK+FHVRbeIm1YWQK8Av0vCswjko2wEtZIU+ZmsRRUa
gvrUnzviqQHgvTfprE+XaSXot3dzAXSfXpJYUbyypbK70QUyaQzs1a/Tf8MqGS1UJi1+S0
L9essUN+RdcT+pEgiMed04vZFaLN8Wo+JC1E2JJn25nD+F6LeqNjBFIIhr6ki8Rp6z3ivM
DQCJ6wtYOwIRG4A2Pbf0Ad30KMqpG395Khg96CVWacEwbYaQ604vrAdkTHOB6Pi2wx9ll8
3KERvAdyMN3sGKVMqgs9/jnEmPTCdyEjHsSNDnGAIEhSib9xC5Y065DyYsVgzH4OWxgRLy
+gEbOjZIRGqqRFTGN96snIkJHhK/mpyP66IKbeXSxfYwzx99azZIvgg8l5IiPId4+2BeCm
VTnq2XMO+gNqstkx98ov+sf3qpkGrr00ObFQhEu/J/HrvF+ubrLYnegnSJi35MyWzsfNZJ
/H7Q+oFt6wfVYNija4VkvrTETHheXVlIrkyPJeRMgOs7kYhDWNoOSyLYuljl1jdktDFRXi
DKTF1s0MeIdgSeJyQR5RvKLkFfcha80ikGohjb54q/CUIDhwlvksYgHhopz1/kE8ufRMmU
V7PP/S4ctpz3Jc8jQ6M7N5O0QMCPEomKU1Kg4aIr2jVb8YLLEZ9MZOufMfWYS5tNwhju2R
BnmhQ8He9OtsoyIC36EQCKjp3s4NrF1I9+GGdEm1EsRdOr74RJWZ1m8ZxNWnPxyu7OAAy+
DdtnkByH45bQVpwmNK6DrR7kClgcoXhzSHqc8xCU5BVWuJx+3mtbv9LNpiOTuJGrLCQ6E3
u/jx3euGwHoNSvQF5yi3DPNzxevEA2JUtNNFEqdV6UTFHguC8XxqS+dRJi4xc9M8K0OOg4
6P6DGNaiEuCT5B7RrK0MU9Q2g0dW6XIM28fXpXnQ/PPDLN1NFJYHL/pguSJ+mLFSS/1Ysv
Uw4RmaQ5KLb1avZEyKC19tTWpFfK0=
-----END OPENSSH PRIVATE KEY-----

$ cat mykey.passphrase_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrolNZTsy71rJfvE/hmOFKyJF9B5+ANTB3og/Z7VSDleivceusnmVIdA+GeTcAjbaHuj9vUsGEW5bqN3SqBRIOsQkpSMN6DHx1ViFo5wkASF+B0HNAzCAJ83e8hYuNGvJqXWgiyhSM6TdCX3ahqfDPYZb/wPJm+ulFohBVAOJk1FV1HnKRjeIw0kNcR98kB82QhYmlP2rF5iuolKznK8CZ+IvzQESnVz1gJudXO/OxIMijZFrzAuembXkgK7P/eRJCa2Db07gkqVi5XyX0EHYcgMMNrv2nphpeLYEetFJOZKY7d+2GAhN50wJi9fbra41Sl3u3KmTE+ISchCaDyhg3 hug0@noname1

Some informations about OpenSsh version :

$ ssh -V                                                                                                                                                                                               
OpenSSH_7.9p1, OpenSSL 1.1.1  11 Sep 2018

[iamhsa]

Hum ! As noticed by @terinjokes our private keys don't have header
(Sorry I do not read English as well as I would like :-)

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

So I have look man page of ssh-keygen and I found :

-m key_format
Specify a key format for the -i (import) or -e (export) conversion options. The supported key formats are: “RFC4716” (RFC 4716/SSH2 public or private key), “PKCS8” (PEM PKCS8 public key) or “PEM” (PEM public key). The default conversion format is “RFC4716”. Setting a format of “PEM” when generating or updating a supported private key type will cause the key to be stored in the legacy PEM private key format.

I tried to generate keys with the three key_format :

$ ssh-keygen -f mykey.pem_passphrase_rsa -N passphrase -m pem
$ ssh-keygen -f mykey.pkcs8_passphrase_rsa -N passphrase -m pkcs8
$ ssh-keygen -f mykey.rfc4716_passphrase_rsa -N passphrase -m rfc4716

key_format	Passphrase	Headers	Loading in chrome-ssh-agent
PEM	yes	yes	OK
PKCS8	yes	no	KO
RFC4716	yes	no	KO

As chrome-ssh-agent ask explicitly pem format I think we are completely out of process.

@ralimi : will you plan to add PKCS8 and RFC4716 formats ?

[iamhsa]

This default value appeared in OpenSSH 7.8/7.8p1.

ssh-keygen(1): write OpenSSH format private keys by default
instead of using OpenSSL's PEM format. The OpenSSH format,
supported in OpenSSH releases since 2014 and described in the
PROTOCOL.key file in the source distribution, offers substantially
better protection against offline password guessing and supports
key comments in private keys. If necessary, it is possible to write
old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments
when generating or updating a key.

[terinjokes]

@iamhsa Thanks for taking a look at this. I had some things come up, and was just now getting back to this.

I use ed25519 for my key pair, which is not possible to store in PEM format.

[terin@rack01 ~]$ ssh-keygen -f test_ed25519 -N passphrase -t ed25519 -a 100 -m pem
Generating public/private ed25519 key pair.
Your identification has been saved in test_ed25519.
Your public key has been saved in test_ed25519.pub.
The key fingerprint is:
SHA256:IQovehGrepYLlhFKQIqUasvPfm+nnupujm1PvmfGVMk terin@rack01
The key's randomart image is:
+--[ED25519 256]--+
|oo.              |
|=.               |
|+oo   . . . .    |
|+..= . . . E     |
|+.= o   S .      |
| =oo     .       |
|+o+.   .o        |
|oo+oo+o..*       |
|.oo+B**OB        |
+----[SHA256]-----+
[terin@rack01 ~]$ cat test_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAlPXmf3u
Q488SRElaUqAe+AAAAZAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAINq7Z6K8o+2uNeSx
ojwfJPzpXrpW357N6VCV2W+/xBRBAAAAkPSLyVQ78YRiA3Pfy76tzCAm7fBQEK7VdNDWeD
qHGTB7yX5nmpM4aIWjiWIBZkmbg1446IxYgepKaJurT/2NIQo9xgeDTc4nSo+QfuFsv90s
FMNQDGYUU+c3SsCtDty+CCsl8j7JZG3LBg9oJoFs3f7EyvyKF1E/yvR3smlkaMNbBSlfV4
eV4FbJ+ANDv9G+4w==
-----END OPENSSH PRIVATE KEY-----
[terin@rack01 ~]$ cat test_ed25519.pub 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINq7Z6K8o+2uNeSxojwfJPzpXrpW357N6VCV2W+/xBRB terin@rack01

[terinjokes]

This change was described back in 2013: new openssh key format and bcrypt pbkdf.

[ralimi]

It looks like there is good news and bad news.

Good news: keys with the newer format appear to be supported by Go's crypto package. I've added a test in #8 to validate that they are supported.

Bad news: there doesn't appear to be support in Go's crypto package currently for loading encrypted ones. golang/go#8860 looks like the issue tracking that request.

[terinjokes]

There's pkcs#8 parsers for Go that look compatible with GopherJS. Would there be any objections to integrating with them since the stdlib implementation doesn't seem to be happening right now?

…

On Thu, Nov 22, 2018, 9:05 PM ralimi ***@***.*** wrote: It looks like there is good news and bad news. Good news: keys with the newer format appear to be supported by Go's crypto package. I've added a test in #8 <#8> to validate that they are supported. Bad news: there doesn't appear to be support in Go's crypto package currently for loading encrypted ones. golang/go#8860 <golang/go#8860> looks like the issue tracking that request. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#7 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAQsZfkqoOqTEHiVA7uM317Ugapl4nMHks5ux4IrgaJpZM4WT4wG> .

[ralimi]

I'm playing around with https://github.com/youmark/pkcs8 as we speak :)

[ralimi]

I've got this working with PKCS#8 keys, both with and without passphrases.

Unfortunately, I found out through this experimentation that PKCS#8 is not the same "OpenSSH format" produced by ssh-keygen.

PKCS#8 are signified by BEGIN PRIVATE KEY or BEGIN ENCRYPTED PRIVATE KEY at the beginning of the block. See https://github.com/kjur/jsrsasign/wiki/Tutorial-for-PKCS5-and-PKCS8-PEM-private-key-formats-differences. I've got code working that handles these keys now, both encrypted and unencrypted, using https://github.com/youmark/pkcs8.

OpenSSH Format begins a block with BEGIN OPENSSH PRIVATE KEY. The Golang crypto libraries support the unencrypted form of these out of the box, but not the encrypted form.

I wasn't able to replicate the results from @iamhsa above. On my machine, (OpenSSH_7.6p1), the -m option to ssh-keygen doesn't appear to do anything when generating keys. It only applies when importing and exporting keys to/from the OpenSSH format.

[ralimi]

I was wondering if there was an easy way to convert an OpenSSH-formatted private key into either PEM or PKCS#8.

The ssh-keygen man page seems to say it can be done:

$ ssh-keygen -f mykey_openssh -o -t rsa -N ""
Generating public/private rsa key pair.
Your identification has been saved in mykey_openssh.
Your public key has been saved in mykey_openssh.pub.
The key fingerprint is:
SHA256:BvEfQd6Qac6c7CS068D2+zYIKsUVNdoiNq251SZj4bI ralimi@workstation
The key's randomart image is:
+---[RSA 2048]----+
|      ..o.+o     |
|     ..=.o++     |
|    + *ooBo..    |
|   . *.=o.B.     |
|   .+o* S=.      |
|    o*==. .      |
|   .Eo = .       |
|  . .   + o      |
|   .    .+..     |
+----[SHA256]-----+
$ ssh-keygen -e -f mykey_openssh -m pkcs8
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqDa23RzctKaVhQNKQLeu
q3AKSvqaxmMxc0jawYaHIz+sJag4NoYqgKKh832z7M4qRop1t4AmBXO77Sd10v3w
35xh/On7cuRqXWYig0drA9W0DHjvjJJ3QieA2ZwkUhSI+NX8BNS7TY6zifigSs0L
epsGw/aQZ/GDK5uCOYFDNcFTbL5XngfaVwysbvi5vL9zRrsfG+iQw7dS8ics2Zmp
hIYYARtfqWu13kMg5ncCcPptwbgWnGSAG59jqYZs67qyL2WvpN737b6Bx2EJuVYD
d4NLZY46x5jTSh5WdiqOz+dsKZrdZi5ipnQjVh8/rtVbWDhg21bkFqX9e95qACNo
CQIDAQAB
-----END PUBLIC KEY-----

https://unix.stackexchange.com/questions/84060/convert-openssh-private-key-into-ssh2-private-key seems to confirm that the manpage lies, and it will just produce the public key.

[ralimi]

golang/go#18692 looks like the feature request for supporting encrypted OpenSSH formatted keys.

[ralimi]

After finding golang/go#18692, it was pretty easy to adjust the code to use the same underlying library they were disussing.

I'll be happy when those two feature requests in the crypto libraries are resolved so this code can be made simpler again.

[ralimi]

I built a new release including these changes. It should be release as 0.0.18.

[ralimi]

Oops. Not quite fixed - keys still don't load. Reopening.

[ralimi]

Fixed, and release 0.0.19. @terinjokes - I can now load the ed25519 key you provided above.

[iamhsa]

And now keys genetated by
ssh-keygen -N "pass phrase" -f mykey_rsa
is loading like a charm.
Thanks !

[bhavanasrini]

It looks like there is good news and bad news.

Good news: keys with the newer format appear to be supported by Go's crypto package. I've added a test in #8 to validate that they are supported.

Bad news: there doesn't appear to be support in Go's crypto package currently for loading encrypted ones. golang/go#8860 looks like the issue tracking that request.

@ralimi ... I have encrypted private key in the form of
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJnzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQI1YIZ7xrVUT4CAggA
MB0GCWCGSAFlAwQBKgQQadh/eSr4Ylj5UikDMjmVrASCCVBEF9eii3ObUWujefZT
1ShtWYKYTJHtmsc2CPm0TSx7F0scsGouGra84ll4qlAW63KnUVEE/qB6gFxNywBg
wvkbvTLkJZ6fouCOjfdIhRYuCg==
-----END ENCRYPTED PRIVATE KEY-----

I am not able to decrypt using youmark/pkcs8 package.... Was your files in the similar format ?

[ralimi]

I believe they were, yes. Consider trying to play around with openssl itself to decrypt and verify it is actually in PKCS#8 format?