Monday, October 1, 2018

August Update to ssh-keygen breaks puttygen

Update From Kali Team: 10/2/2018

Everything you need to know is in/usr/share/doc/openssh-server/NEWS.Debian.gz.
   OpenSSH 7.8 includes a number of changes that may affect existing   configurations:
    * ssh-keygen(1): Write OpenSSH format private keys by default instead of      using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH      releases since 2014 and described in the PROTOCOL.key file in the      source distribution, offers substantially better protection against      offline password guessing and supports key comments in private keys.      If necessary, it is possible to write old PEM-style keys by adding "-m      PEM" to ssh-keygen's arguments when generating or updating a key.
Looks like that puttygen only supports the PEM-style private keys. In any case, it's not a Kali bug, possibly a puttygen one about lacking support of the OpenSSH key format. 



After pulling out my hair all day long trying to figure out the differences between the Kali RasberryPi and Kali Live build on my thumbdrive, I finally realized there was a ssh-keygen update done in August 2018.

To outline the problem let me first outline how I was generating and converting the private keys for ssh.

  1. On the host system
    1. ssh-keygen -t rsa
      1. enter file name
      2. enter super secure secret password
      3. repeat step 2
    2. Copy the file to the client(s) that are logging into the host
  2. On the Client
    1. Run PuttyGen
      1. Import id_rsa (or whatever you named the file)
      2. Save private key with .ppk extension
Normally this works just fine but on 10/1/2018 this stopped working for me.  Anytime I got to step 2.1.1 I would be met with an error indicating an unrecognized cipher name.


After much trial and error and testing my google searching ability I came across the last post on a familiar site all the way at the bottom which led me to this conclusion.  The post deals with ed25519 but I was using RSA.  As you will see in the last post it directly states the author does not believe this to be an ed25519 issue.  Using the advice found in the same article I tested the same with RSA.

$ cp ~/.ssh/id_rsa ~/.ssh/id_rsa-for-putty

$ ssh-keygen -p -f ~/.ssh/id_rsa-for-putty
Enter old passphrase: <your passphrase>
Enter new passphrase (empty for no passphrase): <press Enter>
Enter same passphrase again: <press Enter>

Much to my surprise it worked!  Someone much smarter than me might be able to comment on what changed in the August update to ssh-keygen but I know this was working in the March 2018 update I have on my thumdrive.

Video can be found here:

https://youtu.be/q6LmHqdJvuo
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)