Bug 2699

Summary:

PKCS#8 private keys with AES-128-CBC stopped working

Product:

Portable OpenSSH

Reporter:

Peter Wu <peter>

Component:

ssh-keygen

Assignee:

Damien Miller <djm>

Status:

CLOSED FIXED

Severity:

normal

CC:

djm, dtucker

Priority:

Version:

7.5p1

Hardware:

amd64

OS:

Linux

Bug Depends on:

Bug Blocks:

2698

Attachments:

Description	Flags
search first entry in libcrypto error stack for better error	dtucker: ok+

Description Peter Wu 2017-03-26 02:24:49 AEDT

In older OpenSSH versions, the key derivation method was quite weak, but the encryption method could be changed (see https://security.stackexchange.com/a/39293). Basically:
openssl pkcs8 -topk8 -in id_rsa -out keypk8.pem -v2 AES-128-CBC

With the latest OpenSSH version, the key no longer functions. "ssh host" fails with "invalid format".

Expected result (7.4p1):
$ ssh-keygen -f keypk8.pem -y
Enter passphrase: 1234
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDQ33ndDr5N/AI8y2PzrqGbadLeS5fSf2GsVJx2B2KxhazL2z5Oufin+wjJ1hW12/zWyQs/9CFYQFrife+PrMUOdLitsmlD3l4lBQ29+XKsmPabtINPJQ0n4dxgBGeFxTCd4lJwiysmVsXPnNrgQTcx2nirrIk1C7wSW9Ai9W3fZQ==

Actual result (7.5p1):
$ ssh-keygen -f keypk8.pem -y
Enter passphrase: 
Load key "keypk8.pem": invalid format

$ cat keypk8.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICzzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIjD0b5HeRJgcCAggA
MB0GCWCGSAFlAwQBAgQQO0b81Wq1hf72ClU42A/MlgSCAoCtUR3Stws9u5+CE3B8
ewvZeDZRm1suk2vCrt1f/AMUTZv18hfJtreS3qcAJAUJbuzpC8B/xNLv/k2SfPkl
pEX3hma9JNebVt6CwnFnxiSGqVthNuO7iprTnabTcwMZVJnx32YoqEa3rS/NWf+D
kMSWHcuUSngreuL8XA3oWlzIcDDcEGY/gpLFvli4YXnBJe0fM/NBBm1QqTOWgNlB
xCzbVwi58aELHt9OYzhYQOnNVFE3ZJxwzBQZA7+lsiwAPQZhCVFuoR5nbsHAGq4m
ATb5Zl6kXqQFbyHnNimcuZPvNpNJ5AKpgSUDgGpDycxsp4a59noG9jKdlubrlvgl
cXFsA3COBKB87edRgLDU2X2+XTrtGRtRBfwkt5Os3+4NQYGpI7s3KT/VCEAoQSgZ
HKXLW6UjMtE/prNXiGlOCMlvWiBxJC1ZH4OsG6vVjmH7jX6xE4sxIER9ENezKGHC
pcqP6qfne5O/gkKwd3IDMbsdNp2rislAP4baXk9lHbxVKTzbW1xPDHq5iXlcGuUZ
q4Mgena5VUIIgPN1RTBFWwLVNHKlVJcM0w3+OVAK84/aX7NUyhLV6fZgi3jVSkaV
aHDDAezvzUwwgm63du0hBZlWLkl2IY7b/SOsTaZV9bwiaLG4kmlMhwYQEKpTIgDA
ZMJ/oQAWKgWqm7Vg4kW06ri7iKOoIWIIDINbgB1hiFVOdVOLFFDKBd/Rso6pCDlQ
jHcrA4nwzsqKqFG3+NKRmUtaIwAekWTKgknlVu+nhGBA/PjOFnucyBY2hceJpLsK
9W7EgT2Y/QURyMRf9OE2rtV+8C01C0tyyIXxEleV941N9AeK4F2GMeL2/i/blyuN
TVmf
-----END ENCRYPTED PRIVATE KEY-----

Comment 1 Damien Miller 2017-03-29 19:19:34 AEDT

I can't replicate this on either OpenBSD or Linux (Ubuntu variant). I tried the key you provided and one that I generated:

$ ssh-keygen -t rsa -f k -C '' -N ''
Generating public/private rsa key pair.
Your identification has been saved in k.
Your public key has been saved in k.pub.
The key fingerprint is:
SHA256:m4QOVbZ5Q5sWhFIox47fgcUManmU2RNzIJJfYl9SmNw 
The key's randomart image is:
+---[RSA 2048]----+
|    .o+@BX*      |
|    o=X+&*E+     |
|    +BoBo+*      |
|   ..o+.oo .     |
|    ....S.       |
|     o...o       |
|      . o        |
|                 |
|                 |
+----[SHA256]-----+
$ openssl pkcs8 -topk8 -in k -out k.pem -v2 AES-128-CBC
Enter Encryption Password:
Verifying - Enter Encryption Password:
$ chmod 0600 k.pem 
$ ssh-keygen -yf k.pem 
Enter passphrase: 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD0cTGZ+1cqjei8PdYa7FoFUHYsUST7jTneMP+FktaD3RKqrkpKQdvTBfRqcYUeiwscgqmKa5KYvNvz2GXhO3Nk6Pe46MI9CC+bKoR/Gt+okQU54zua4TlmRRsPxQdGat6vtcD7bPeFcIpXLGt4troMs7VVSBgrVI1Z+QG2v41L85l360vsmo5mVDDKWODlG7D0QyulJpf9WVuAD9fAorBKh5hA2mcWLYiInD9uxsw3xst0nPnQdHXvTNkfF2u8LD6Hurh5ewYu58a8RSozCDqSn0s3F0Sm5oO4oJw+zd1QG/ljJ/fn2bPr2RCUx9L2CkjQcQAFZm13flx8tg77pJ+Z
$ ./ssh-keygen -yf k.pem 
Enter passphrase: 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD0cTGZ+1cqjei8PdYa7FoFUHYsUST7jTneMP+FktaD3RKqrkpKQdvTBfRqcYUeiwscgqmKa5KYvNvz2GXhO3Nk6Pe46MI9CC+bKoR/Gt+okQU54zua4TlmRRsPxQdGat6vtcD7bPeFcIpXLGt4troMs7VVSBgrVI1Z+QG2v41L85l360vsmo5mVDDKWODlG7D0QyulJpf9WVuAD9fAorBKh5hA2mcWLYiInD9uxsw3xst0nPnQdHXvTNkfF2u8LD6Hurh5ewYu58a8RSozCDqSn0s3F0Sm5oO4oJw+zd1QG/ljJ/fn2bPr2RCUx9L2CkjQcQAFZm13flx8tg77pJ+Z
[djm@demiurge openssh]$ ssh -V
OpenSSH_7.2p2, OpenSSL 1.0.1f 6 Jan 2014
[djm@demiurge openssh]$ ./ssh -V
OpenSSH_7.5p1, OpenSSL 1.0.1f 6 Jan 2014

Comment 2 Peter Wu 2017-03-29 20:13:36 AEDT

Perhaps the passphrase was wrongly entered (bad keyboard state?). It works now when the correct passphrase is typed in (rebooted in between).

Can the error message can be improved?

$ ssh-keygen -yf keypk8.pem
Enter passphrase: 1233
Load key "keypk8.pem": invalid format
$ ssh -V
OpenSSH_7.5p1, OpenSSL 1.0.2k  26 Jan 2017

$ ssh-keygen -yf keypk8.pem
Enter passphrase: 1233
Load key "keypk8.pem": incorrect passphrase supplied to decrypt private key
$ ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016

Comment 3 Damien Miller 2017-06-09 14:38:21 AEST

Created attachment 2990 [details]
search first entry in libcrypto error stack for better error

OpenSSL makes it unfortunately painful to determine the actual problem when it fails, by scattering root and proximal problems across an error stack. This patch searches deeper in the stack and prefers to return "wrong passphrase" errors when it finds them to other causes.

Comment 4 Darren Tucker 2017-06-09 14:43:21 AEST

Comment on attachment 2990 [details]
search first entry in libcrypto error stack for better error

looks reasonable but I don't know openssl that well.  maybe you want get one of the libressl folks to look?

Comment 5 Damien Miller 2017-06-09 16:40:43 AEST

Patch applied. This will be in openssh 7.6

Comment 6 Damien Miller 2018-04-06 12:26:34 AEST

Close all resolved bugs after release of OpenSSH 7.7.