[ Docs |
Tools | Advisories
| Full-Disclosure ]
Whilst reviewing access requirements at a number of sites, we've found the need to make several different implementations of SSH clients and servers interoperate succesfully.
This document outlines how to convert keys between OpenSSH, SSH.com (F-Secure), Sun SSH, and PuTTY implementations, using a DSA key for our examples, and also illustrates basic server-side setup for key-based authentication.
1) Convert key to correct format:
OpenSSH/Sun SSH - Use ssh-keygen to export from native format to SECSH format:
ssh-keygen -e -f ~user/.ssh/id_dsa.pub > id_dsa_secsh.pub (OpenSSH)
ssh-keygen -x -f ~user/.ssh/id_dsa > id_dsa_secsh.pub (Sun SSH)
*note that Sun requires the private key as an input, whereas OpenSSH can convert directly from a public key to SECSH format.
(PuTTY and SSH.com clients use the SECSH format natively, so no conversion required)
2) Paste the SECSH file into a file of the same name on the server, located in the .ssh directory of the user in question, or scp using passwords:
scp id_dsa_secsh.pub user@target:/home/user/.ssh2/id_dsa_secsh.pub
3) Create or amend the file ~user/.ssh/authorization on the server to include information on the new key:
echo "key id_dsa_secsh.pub" >> ~user/.ssh2/authorization
4) DSA authentication should now be possible.
1) Convert key to correct format:
PuTTY - Use the puttygen.exe tool to import the SECSH-formatted file, and copy the OpenSSH-compatible data from the Key window.
SSH.com - Use either Sun's or OpenSSH's ssh-keygen to convert from SECSH format:
ssh-keygen -i -f id_dsa_secsh.pub > id_dsa.pub (OpenSSH)
ssh-keygen -X -f id_dsa_secsh.pub > id_dsa.pub (Sun SSH)
2) Paste the DSA key into ~user/.ssh/authorized_keys on the server.
3) DSA authentication should now be possible.
Assuming server configuration is correct, keys may be easily converted and used in an interoperable manner.
John Cartwright <johnc@grok.org.uk>