Valid XHTML 1.0 Strict
Valid CSS!

[ Docs | Tools | Advisories | Full-Disclosure ]


Whilst reviewing access requirements at a number of sites, we've found the need to make several different implementations of SSH clients and servers interoperate succesfully.

This document outlines how to convert keys between OpenSSH, (F-Secure), Sun SSH, and PuTTY implementations, using a DSA key for our examples, and also illustrates basic server-side setup for key-based authentication.

Connect to server

1) Convert key to correct format:

OpenSSH/Sun SSH - Use ssh-keygen to export from native format to SECSH format:

ssh-keygen -e -f ~user/.ssh/ > (OpenSSH)
ssh-keygen -x -f ~user/.ssh/id_dsa > (Sun SSH)

*note that Sun requires the private key as an input, whereas OpenSSH can convert directly from a public key to SECSH format.

(PuTTY and clients use the SECSH format natively, so no conversion required)

2) Paste the SECSH file into a file of the same name on the server, located in the .ssh directory of the user in question, or scp using passwords:

scp user@target:/home/user/.ssh2/

3) Create or amend the file ~user/.ssh/authorization on the server to include information on the new key:

echo "key" >> ~user/.ssh2/authorization

4) DSA authentication should now be possible.

Connect to OpenSSH and Sun SSH servers

1) Convert key to correct format:

PuTTY - Use the puttygen.exe tool to import the SECSH-formatted file, and copy the OpenSSH-compatible data from the Key window. - Use either Sun's or OpenSSH's ssh-keygen to convert from SECSH format:

ssh-keygen -i -f > (OpenSSH)
ssh-keygen -X -f > (Sun SSH)

2) Paste the DSA key into ~user/.ssh/authorized_keys on the server.

3) DSA authentication should now be possible.


Assuming server configuration is correct, keys may be easily converted and used in an interoperable manner.

John Cartwright <>