Bug 2895

Summary: ecdsa key invalid format after upgrade
Product: Portable OpenSSH Reporter: Rej <rej>
Component: ssh-addAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED INVALID    
Severity: normal CC: djm, jjelen
Priority: P5    
Version: 7.7p1   
Hardware: All   
OS: Linux   
Attachments:
Description Flags
ECDSA private key reproducing a problem none

Description Rej 2018-08-14 20:02:41 AEST 
after upgrade RHED6.8 to Fedora28 (ssh v6 to v7) I'm not able to load ECDSA key, ssh is telling it has invalid format

RedHat support was able to reproduce this bug too:
https://bugzilla.redhat.com/show_bug.cgi?id=1610222

Why I think problem is in SSH ? 

Because openssl has new option check - and it is telling, that private key is OK.

Thanks for your time.
Comment 1 Damien Miller 2018-08-15 11:56:08 AEST 
Which exact version of OpenSSH generated they key? What is the output of "ssh-keygen -vvvlf /path/key"?
Comment 2 Rej 2018-08-15 16:00:24 AEST 
Hi, 

I used CentOS v6.9 to reproduce this problem - there is openssh in version openssh-5.3p1-123.el6_9.x86_64 and it can load and use my key without problem.

On Fedora28 there is openssh-7.7p1-5.fc28.x86_64
and it tells me:
$ ssh-add id_ecdsa
Error loading key "id_ecdsa": invalid format

here is output you requested:
$ ssh-keygen -vvvlf id_ecdsa
521 SHA256:fMK7A1KpalIDhzir46fTHj9GNIWVXsdsmTL9sCrUvkw Rej (ECDSA)
+---[ECDSA 521]---+
|      o.. + o    |
|     . o + X     |
|..    o.o = +    |
|= .  oo= . . .   |
| =  .oo S o      |
|. o o... E       |
|...+.. .= .      |
|+.oooo  .+       |
|.*=.... ..       |
+----[SHA256]-----+
Comment 3 Damien Miller 2018-08-15 16:48:40 AEST 
OpenSSH added ECDSA support in release 5.7 (https://www.openssh.com/txt/release-5.7), so I don't understand how you generated an ECDSA key using OpenSSH 5.3.
Comment 4 Jakub Jelen 2018-08-15 16:52:51 AEST 
Created attachment 3169 [details]
ECDSA private key reproducing a problem

Please, see the analysis in the redhat bugzilla. It already answers most of the questions and points what is different in the old key and a new key (format: named curve x raw group parameters) and why is it failing (ec group comparison). I can reproduce the same behavior so I attached the testing private key.

I suspect this is some change in OpenSSL, how they handle EC group comparison, but I did not have time to investigate it further. It might even work for you with LibreSSL.
Comment 5 Damien Miller 2019-01-23 11:43:11 AEDT 
OpenSSH tries to support keys that encode explicit group parameters rather than the group ID. See sshkey.c:sshkey_ecdsa_key_to_nid()

This definitely used to work with OpenSSL, but it doesn't seem to now. It does work with libressl.
Comment 6 Damien Miller 2020-01-26 00:33:04 AEDT 
This seems to be a bug in OpenSSL. OpenSSH does everything I know of to ascertain and use the correct EC group. Please tell me if this is not the case and I'll try to fix it.
Comment 7 Damien Miller 2021-03-04 09:53:23 AEDT 
close bugs that were resolved in OpenSSH 8.5 release cycle