Monday, July 2, 2012

ssh keys

1) the format of key pair generated by "OpenSSH" and other ssh clients are different.
2) every commercial ssh client have their own Key format transfer program.
3) If using Tectia's Secure SSH shell, you can use the "ssh-keygen-g3.exe" to switch the formats.

A:
Tectia and OpenSSH use different public key file formats. For more information on the public key file format used by Tectia, please see the IETF SECSH working group SECSH Public Key File Format draft. For more information on the OpenSSH public key file format, please see the OpenSSH web site. The new version of ssh-keygen-g3 has options to convert OpenSSH private and public keys to the IETF SECSH compliant format supported by Tectia.

Command-line options

ssh-keygen-g3 --import-public-key infile outfile
Reads the OpenSSH public key and converts it to an SSH Tectia compliant format. Supports DSA and RSA keys.
ssh-keygen-g3 --import-private-key infile outfile
Reads the OpenSSH null passphrase private key and converts it to a Tectia-compliant format. Supports DSA and RSA keys.
ssh-keygen-g3 --import-ssh2-authorized-keys infile outfile
Reads the SSH2 and OpenSSH authorized_keys file (can contain several DSA and RSA keys), extracts the file to separate Tectia-compliant keys and creates a Tectia format authorization file which contains references to created keys.

Usage examples

Host key conversion

ssh-keygen-g3 --import-private-key /etc/ssh/hostkey /etc/ssh2/hostkey
ssh-keygen-g3 --import-public-key /etc/ssh/hostkey.pub /etc/ssh2/hostkey.pub

User key conversion

Client side
ssh-keygen-g3 --import-private-key "$HOME"/.ssh/id_dsa "$HOME"/.ssh2/id_dsa_ssh2
echo "Key id_dsa_ssh2" >>identification
Server side
ssh-keygen-g3 --import-ssh1-authorized-keys "$HOME"/.ssh/authorized_keys "$HOME"/.ssh2/authorization

Migrating OpenSSH server to Tectia Server

Host key needs to be converted with
ssh-keygen-g3 --import-private-key /etc/ssh/hostkey /etc/ssh2/hostkey
ssh-keygen-g3 --import-public-key /etc/ssh/hostkey.pub /etc/ssh2/hostkey.pub
If public key authentication is used, user specific authorized_keys file needs to be converted to separate public keys. Conversion needs to be done for each user using public key authentication
ssh-keygen-g3 --import-ssh1-authorized-keys "$HOME"/.ssh/authorized_keys "$HOME"/.ssh2/authorization

Migrating OpenSSH client to Tectia Client

If public key authentication is used, user specific private and public keys need to be converted. Conversions are required for each key and each user using public key authentication
ssh-keygen-g3 --import-private-key "$HOME"/.ssh/id_dsa "$HOME"/.ssh2/id_dsa_ssh2
ssh-keygen-g3 --import-public-key "$HOME"/.ssh/id_dsa.pub "$HOME"/.ssh2/id_dsa_ssh2.pub
echo "Key id_dsa_ssh2" >>identification


B:
If the private key is not passphrase protected just use the OpenSSH keygen import:
ssh-keygen -i -f my_tectia_privatekey
This will print the private key in OpenSSH format to stdout.
If the Tectia private key is passphrase protected you'll need to remove the passphrase first using Tectia keygen (just press enter when prompted for New passphrase):
$ ssh-keygen-g3 -e my_tectia_privatekey 
Passphrase needed for key "My Tectia Private Key".
Passphrase : 
Do you want to edit key "" (yes or no)? yes
Your key comment is "My Tectia Private Key". Do you want to edit it (yes or no)? no
Do you want to edit passphrase (yes or no)? yes
New passphrase : 
Again          : 
Do you want to continue editing key "" (yes or no)? no
Do you want to save key "" to file my_tectia_privatekey (yes or no)? yes
Then follow the same step as above for unencrypted private keys.
ssh-keygen -i -f my_tectia_privatekey > my_openssh_privatekey
Finally, encrypt the key again with a passphrase using OpenSSH keygen:
ssh-keygen -p -f my_openssh_privatekey
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)