Chaim Kutnicki <chaimkut@gmail.com> writes:

The CentOS machine would *not* permit logins with the public key's
matching private key. I suspect it is because of PuTTY's public key
format:

---- BEGIN SSH2 PUBLIC KEY ----

[...]

When I changed the key in the authorized_keys file to the more standard format >ssh-rsa AAAA[...]==

then private key login succeeded.

Is this an issue? Should openssh be accepting PuTTY's key format? Or is >PuTTY's key format sufficiently obscure that PuTTY should change...
should I open a bug?

OpenSSH does not accept the standardised (RFC4716) public key format
(that starts "---- BEGIN SSH2 PUBLIC KEY ----").

Did you use the PuTTYgen Windows GUI tool to generate your keypair?

That tool has a control labelled "Public key for pasting into OpenSSH authorized_keys file", which contains the one-line format you needed.
I'm not sure how it could be clearer.

<https://the.earth.li/~sgtatham/putty/0.70/htmldoc/Chapter8.html#puttygen-pastekey>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Thank you for the clarification. I simply performed "Save public key" and tried to use the key in that file (RFC4716 format) ssh-copy-id. Perhaps in order to ease the use of the ssh-copy-id program, there could be a toggle option for "Save public key": "
Putty format", "OpenSSH format". A user could then save directly to OpenSSH format and then be able to directly use the ssh-copy-id program.

On Tuesday, July 31, 2018 at 7:04:14 PM UTC+3, Jacob Nevins wrote:

Chaim writes:

The CentOS machine would *not* permit logins with the public key's
matching private key. I suspect it is because of PuTTY's public key
format:

---- BEGIN SSH2 PUBLIC KEY ----

[...]

When I changed the key in the authorized_keys file to the more standard format
ssh-rsa AAAA[...]==

then private key login succeeded.

Is this an issue? Should openssh be accepting PuTTY's key format? Or is >PuTTY's key format sufficiently obscure that PuTTY should change...
should I open a bug?

OpenSSH does not accept the standardised (RFC4716) public key format
(that starts "---- BEGIN SSH2 PUBLIC KEY ----").

Did you use the PuTTYgen Windows GUI tool to generate your keypair?

That tool has a control labelled "Public key for pasting into OpenSSH authorized_keys file", which contains the one-line format you needed.
I'm not sure how it could be clearer.

<https://the.earth.li/~sgtatham/putty/0.70/htmldoc/Chapter8.html#puttygen-pastekey>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Not surprisingly, my suggestion for the authorized_keys file to accept RFC4716 format was summarily rejected by the OpenSSH team: https://bugzilla.mindrot.org/show_bug.cgi?id=2891

C'est la vie.

On Tuesday, July 31, 2018 at 9:05:10 PM UTC+3, Chaim wrote:

Thank you for the clarification. I simply performed "Save public key" and tried to use the key in that file (RFC4716 format) ssh-copy-id. Perhaps in order to ease the use of the ssh-copy-id program, there could be a toggle option for "Save public key":

"Putty format", "OpenSSH format". A user could then save directly to OpenSSH format and then be able to directly use the ssh-copy-id program.

On Tuesday, July 31, 2018 at 7:04:14 PM UTC+3, Jacob Nevins wrote:

Chaim writes:

The CentOS machine would *not* permit logins with the public key's >matching private key. I suspect it is because of PuTTY's public key >format:

---- BEGIN SSH2 PUBLIC KEY ----

[...]

When I changed the key in the authorized_keys file to the more standard format
ssh-rsa AAAA[...]==

then private key login succeeded.

Is this an issue? Should openssh be accepting PuTTY's key format? Or is >PuTTY's key format sufficiently obscure that PuTTY should change... >should I open a bug?

OpenSSH does not accept the standardised (RFC4716) public key format
(that starts "---- BEGIN SSH2 PUBLIC KEY ----").

Did you use the PuTTYgen Windows GUI tool to generate your keypair?

That tool has a control labelled "Public key for pasting into OpenSSH authorized_keys file", which contains the one-line format you needed.
I'm not sure how it could be clearer.

<https://the.earth.li/~sgtatham/putty/0.70/htmldoc/Chapter8.html#puttygen-pastekey>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Chaim Kutnicki <chaimkut@gmail.com> wrote:

Thank you for the clarification. I simply performed "Save public key"
and tried to use the key in that file (RFC4716 format) ssh-copy-id.

I can certainly understand why the OpenSSH maintainers wouldn't want
to support RFC4716 format in their actual authorized_keys file format.
Even if long-term stability of the format were not an issue (which
surely it is), it's also not at all clear how a multi-line public key
format would interact with the rest of the authorized_keys syntax
(e.g. force-command and other modifiers) involving prefixes on the
line containing the key.

But I wonder if having RFC4716 support in ssh-copy-id might be a more
feasible feature request? There's certainly no reason ssh-copy-id
couldn't recognise a file in that format and convert the public key to
the OpenSSH one-line format before writing it into the remote
authorized_keys file.

A patch to Windows PuTTYgen to add an option to save to a file in
OpenSSH format wouldn't be hard either; I'd accept one if someone felt motivated to write it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <jDC*y-k2w@news.chiark.greenend.org.uk>,
Simon Tatham <anakin@pobox.com> wrote:

Chaim Kutnicki <chaimkut@gmail.com> wrote:

Thank you for the clarification. I simply performed "Save public key"
and tried to use the key in that file (RFC4716 format) ssh-copy-id.

I can certainly understand why the OpenSSH maintainers wouldn't want
to support RFC4716 format in their actual authorized_keys file format.
Even if long-term stability of the format were not an issue (which
surely it is), it's also not at all clear how a multi-line public key
format would interact with the rest of the authorized_keys syntax
(e.g. force-command and other modifiers) involving prefixes on the
line containing the key.

But I wonder if having RFC4716 support in ssh-copy-id might be a more >feasible feature request? There's certainly no reason ssh-copy-id
couldn't recognise a file in that format and convert the public key to
the OpenSSH one-line format before writing it into the remote
authorized_keys file.

A patch to Windows PuTTYgen to add an option to save to a file in
OpenSSH format wouldn't be hard either; I'd accept one if someone felt >motivated to write it.

Puttygen can save in open-ssh and ssh.com formats. I use it all the time
to convert keys. On Windows take a look at the "Conversions" tab -- or if
on a Unix box use puttygen at the command line. Putty source is downloadable and builds on Linux and FreeBSD so it should be portable and scriptable.

$ puttygen

Usage: puttygen ( keyfile | -t type [ -b bits ] )
[ -C comment ] [ -P ] [ -q ]
[ -o output-keyfile ] [ -O type | -l | -L | -p ]
Use "puttygen --help" for more detail.


Bill

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)