a37e5f3020
Previously, this program generated private SSH key blobs that worked
with net-ssh but not with openssh/libcrypto.
You can reproduce pre-patch like so:
load 'lib/ssh_key.rb'
File.write('/tmp/test.key', SshKey.generate.private_key, perm: 0600)
system('ssh-add /tmp/test.key')
It'll write:
Error loading key "/tmp/test.key": error in libcrypto
And after the patch, it writes:
Identity added: /tmp/test.key (/tmp/test.key)
There were three deviations where net-ssh has more relaxed
requirements than openssh/libcrypto, all of which needed to be
addressed to load the generated key text with `ssh`:
1. The comment field in private keys is required.
2. Padding bytes must be set to values one through eight *in binary.*
3. The public key data must be encapsulated in another SSH bitstring,
including the public key type before the payload.
Regarding the third point, the system maintains three representations
of each public key: one in the `public_key` column in ASCII, and two
within the openssh private key blob. The two copies in the private key
blob are mandated by the openssh format. The separate ASCII column
enables SQL-based auditing of non-sensitive public key copies without
requiring application-level decryption, making it easier to track
which keys are intended to be active at any time, by digesting them
and matching them with the same digests reported by OpenSSH in logs.
4.1 KiB
4.1 KiB