Eu criptografei minha chave privada usando openssl pkcs8 -topk8 -in id_rsa -out id_rsa_new -v2 des3
( link )
Mas agora, o ssh-agent não funciona mais. Quando tento me conectar a uma máquina usando ssh:
OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.178.38 [192.168.178.38] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/damon/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/damon/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/damon/.ssh/id_rsa-cert type -1
debug1: identity file /home/damon/.ssh/id_dsa type -1
debug1: identity file /home/damon/.ssh/id_dsa-cert type -1
debug1: identity file /home/damon/.ssh/id_ecdsa type -1
debug1: identity file /home/damon/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-3ubuntu1
debug1: match: OpenSSH_6.0p1 Debian-3ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "192.168.178.38" from file "/home/damon/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/damon/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA d0:42:c3:a4:bb:2e:f0:cd:38:c1:32:d5:a5:ac:4c:d5
debug3: load_hostkeys: loading entries for host "192.168.178.38" from file "/home/damon/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/damon/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host '192.168.178.38' is known and matches the ECDSA host key.
debug1: Found key in /home/damon/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/damon/.ssh/id_rsa (0x7f15643f1e30)
debug2: key: /home/damon/.ssh/id_dsa ((nil))
debug2: key: /home/damon/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/damon/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp ee:e0:8c:60:ee:9f:05:4c:cd:0e:45:85:e2:91:64:95
debug3: sign_and_send_pubkey: RSA ee:e0:8c:60:ee:9f:05:4c:cd:0e:45:85:e2:91:64:95
Agent admitted failure to sign using the key.
debug1: Trying private key: /home/damon/.ssh/id_dsa
debug3: no such identity: /home/damon/.ssh/id_dsa
debug1: Trying private key: /home/damon/.ssh/id_ecdsa
debug3: no such identity: /home/damon/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
Eu executei isso em uma recém-instalada Linux Mint 15 x64 VM e em várias outras instalações do Linux Mint, todos não conseguem se conectar.
Aqui está um exemplo de uma chave privada criptografada pkcs8 (gerada apenas para compartilhar, não se preocupe):
damon@DamonVirtual ~/.ssh $ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/damon/.ssh/id_rsa): id_rsa_test
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa_test.
Your public key has been saved in id_rsa_test.pub.
The key fingerprint is:
f6:58:aa:43:c4:08:51:54:34:e5:5a:76:ae:ed:bd:30 damon@DamonVirtual
The key's randomart image is:
+--[ RSA 2048]----+
| .+oo+.. |
| . o |
| . o + . |
| . o+ o |
| .. S o |
| .. B |
| . + E |
| .. . + |
damon@DamonVirtual ~/.ssh $ openssl pkcs8 -topk8 -in id_rsa_test -out id_rsa_test_enc -v2 des3
Enter Encryption Password:
Verifying - Enter Encryption Password:
damon@DamonVirtual ~/.ssh $ chmod id_rsa_test_enc 600
chmod: Ungültiger Modus: »id_rsa_test_enc“
„chmod --help“ liefert weitere Informationen.
damon@DamonVirtual ~/.ssh $ chmod 600 id_rsa_test_enc
damon@DamonVirtual ~/.ssh $ cat id_rsa_test_enc
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIsRD8OicdxA0CAggA
MBQGCCqGSIb3DQMHBAhpBxvnSmEyaQSCBMj1vvjrx3KiEa++l1xtDDimOPXDqrh6
AAQBZGBBgDNX7OqmqDK6gvbliZUsYEBdbxA8g53tQe168tmXw6RbpDUqwRT0N8MU
an5pBJkOd1nT9TGFivhvBVRLeoCko9jmrcia38/Cc4D088rirYbTOdi47qB88zin
WVxNVCXTAB2IXAvgSVuYlbzRku++OCZAY4YI+4Q8diY1pnY5rMVNc1eTknMp2Gyc
s+37nVpc2Xz3kI1T/2yiJEkOucyyNxbvKfDdmkhxYnflghjQAIFZXhALgGwTAeD+
SkuCpHCyQ6Rw+X/lSvsyj9RNpioF51iTMazy1NbDSyv8FaB+cF8QLC9wz9hHZ3yV
xiNVy38yVwMDr4OudXB+qjc8nDSjQdK5Ade8OWQZS7KXiT0K0wdGYn6NSGuoJTU3
UI9m+Glwv5JI5WE9nUm2GyZzUTujhH7lzJKw/20/IhosrS78/TVWUJ5MW5jNrDz+
raKG9jTLjEirhQFvCowh2oYJUxq0Fmh5d2Iskq19rVdL8iDMyZMJxfsiKTxd6TcK
uGtFkX+IS80Is6r2ZnDsQwlMiKw1pZ223JAQvLHX6baBvoDGr7vSeb4m91G4DYOK
gzdAICHuX0bIXbPhNxfkpstakdvrR2Fz1QNpInTO8K4fQ9dqnCyeiferbzpEkhVD
BVVNRcBVynGPWs6SwBTkRW7D5tWNdFA/ngVkqDDnYaw+/xiaKPF3T/gtOzjEvkgA
CYxBrO+Y1Y6eVA4wD+U9f/6mfA55xf95P+BQ31GT8NoGv0F+3fuY/NGdTkWP0bg7
yhihlRshdt7it+AycDj+cKATjqOcFJpP5nDu0wSciSWAaHAakZl1aK6+qaCUnzGy
9nYZUrTyYk2dLSBP7XI5aVvmk4tzT5Rq9XxV/6Gi48lfe+uqGi2Q46IMxLqxaC1Q
pwNEMlDAiK3zMrxvhQ6YXbTROFEgjeZArzoYwDkbwv9ra8nOslmkXcAz2pYQQQJc
Jv49rtL4kS+L44/koekIk22GMajbSpTdskkieKewQVYhrPbgaBXZfyYvobshCGI9
3qwNEg3ZWhkvAtypMcXX3oflVm54NYXnQ8INk8MPqABrTZtM4VGrKunNa0rCOo8e
ULxgAcsBcZMbe6iI1lB3v+fP7hq8ceQW7oi0/8LS3inz2f3iz7SDKF0c1B1obr0l
u9dJcv6ijXU9Vvv0kejo/C1jx7vsl9q7lp0GLDer003htYNOqrc9GHc7laCh7JlB
R9Lf9IlZjEFTGD6UOJw+2L14j3QTKyLoXwQS+hTXVI7GBBaJq1SuPcCxieSjK5d4
HlkrkO7/iMKEDCwPv8Wp6ZPUowywrP5j4IH51Nk9vuN+DhmCONMjHlJLZLgCJWtm
cfpSlwRI9E86zQlZR2vrlKeHChXtm1kOGp3mkpvRwmu4gZLAQZhNo8TRCNWfQZuj
YhoYdewQJnoemHGk0bKoDA6IqQZMhlfKP2KcnmDWwLQn/rb1VudbbnHSNMF1vCt0
X/lXverUxO8PlNnmhY/D6omah53laGloGHZo/7NHnaa468rNEZyIPYw14XbZaI5A
RlNo9uT2IhJOtSKWqiBioD4YZtjciSkvmUYfC8x4cVqVWd69VuzfxaKpEjp3OzlG
bQw=
-----END ENCRYPTED PRIVATE KEY-----
damon@DamonVirtual ~/.ssh $ cat id_rsa_test.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNms5/HhVr903+uIFM1BTQwOz8lYWyKQsnttkyvxtrfdnJe3EEwBjKjXlipTMYgLl2gi5Lt63f3esHYT0IBwN4DPz9BdYkb3vqsPSdouV2N45/S7w6dwwx2BJ/yP35r2G91ckOiHQSioDWFDbWQMYNrHrbAAtk6QbZthwMyKFK59iGCRltAxyq2/EPU6dkoyq8AWDZao+i65AQjIfDQ5vqHhPPZo80j5q8XNWP6E8oVx+hwUiYZ/hEHLR5KWMZyG0MVzDZICs9qMruIDA9YASl9DTNc72+5L5b1Ct5rTYGeq+5bMue9w7GVCFu/6ahPUwyNI17SW8Fsu6hF/HxbgnR damon@DamonVirtual
A passagem de criptografia para este é 123456789. Alguém consegue identificar erros que cometi ao gerar e criptografar a chave?
(Mais uma vez, essa não é minha chave privada pessoal, acabei de gerar essa para fins de teste, isso não está em nenhum dos meus arquivos authorized_keys, a saída de depuração veio do uso com outra chave gerada da mesma maneira)
Sou eu falhando ou ssh-agent? Eu não recebo um prompt de senha, então o ssh-agent parece não reconhecer que a chave está criptografada ... Mas eu posso adicioná-lo ao agente usando ssh-add id_rsa
, lá eu sou solicitado a senha, lá está funciona ...
editar
Acho que descobri o que acontece:
O ssh-agent tenta adicionar automaticamente chaves ssh a ele. Ao fazê-lo, terrivelmente falha. Essa falha é indicada por identidades não removíveis. Tente ssh-add -D && ssh-add -l
. Se isso retornar qualquer identidade remanescente, o ssh-agent fez algo errado: Eu assumo que o agente ssh desabilita a descriptografia ao adicionar chaves automaticamente.
Minha solução para evitar isso:
- Mover todas as chaves privadas para fora de
~/.ssh
- reboot
- Gere ssh-keypair, não armazene em
~/.ssh
!
- Criptografar chave privada usando openssl, "como de costume"
- Mover chave privada criptografada para
~/.ssh
-
ssh-add /path/to/file
da sua chave privada
Agora, você deve digitar a senha de criptografia.
IMPORTANTE :
- Não use nomes de arquivos de chaves que já estavam no agente ssh. isto
parece tentar adicionar automaticamente nomes de arquivos conhecidos novamente, causando
esta falha horrível.
- Não use chaves privadas com impressões digitais conhecidas. O ssh-agent de alguma forma também adicionou automaticamente esses ...
- Verifique se NÃO há chaves privadas em
~/.ssh
antes de executar estas etapas
- Certifique-se de que não há absolutamente nenhuma chave privada em cache pelo ssh-agent
Se houver alguma tecla no ~ / .ssh ou no ssh-agent, ela falhará. Uma vez que a chave tenha sido adicionada corretamente com ssh-add, sendo solicitada sua senha de encriptação, não tendo outras chaves em ~ / .ssh ou no ssh-agent, parece ótimo adicionar outras chaves.
Às vezes eu apenas odeio o linux, para alguns pacotes especiais (às vezes legados) fazendo esse tipo de coisa: (