ssh-keygen from Ed25519 OpenSSL pem private key - ssh

I would like to generate a public SSH key from an OpenSSL generated Ed25519 private key.
I tried:
ssh-keygen -t ed25519 -f ed25519_key -y > ed25519_ssh.pub
And got the error:
Load key "ed25519_key": invalid format

SSH and SSL are two things.
SSH means "Secure Shell" and is used for remotely connecting to another machine to issue commands, most likely via a CLI (Command Line Interface).
SSL means "Secure Sockets Layer", an older version of actual TLS, used to secure data transmission on a network.
To create SSL keys you can use openssl:
openssl genpkey -algorithm ed25519 -outform PEM -out ed25519_ssl.prv
openssl pkey -in ed25519_ssl.prv -pubout -out ed25519_ssl.pub

Related

PAM module that uses SSH

Is there a PAM module that can authenticate a user with an SSH challenge-response?
I'm trying to write a PAM aware application that essentially has the same authentication process as an SSH connection. I have been unable to find a PAM module that already does this (the pam_ssh module is still password-based), so I have been attempting to write my own.
However, I cannot find an API that will allow me to access SSH in this way. Even with a PAM module for sshd, there doesn't seem to be a clean way of verifying an SSH public key.
To be more explicit, if I am given an SSH public key for a given user on a machine (consider localhost for simplicity), I want to send a challenge to that user on that machine to test if they own that SSH key. Does anyone know a way of doing this?
Thank you!
You could encrypt some random data using the public key, send it to the user, and assert that they are able to decrypt it with the private key. If you're using RSA keys, you can perform the encryption/decryption with OpenSSL. For example,
# server
$ ssh-keygen -e -m PKCS8 -f ~/.ssh/id_rsa.pub >pub.pem
$ openssl rsautl -pubin -inkey pub.pem -encrypt -pkcs -in random -out encrypted
# client
$ openssl rsautl -inkey ~/.ssh/id_rsa -decrypt -in encrypted -out random
and verify that the client is able to reply with the correct contents of random.
These commands are inspired by jass, which you could use instead of ssh-keygen+openssl.
Unfortunately, this doesn't work with Ed25519 keys; OpenSSH has its own custom format and doesn't have a way to convert them.

HTTPS inspection on my server

I have been trying to inspect all the traffic going through my machine. I have a server directly connected to Internet. And I would like to log all the youtube request made on internet with the URL.
As youtube is based on SSL, so I must need to inspect the HTTPS traffic. I have read it somewhere that I must need to create MITM attack on my own server in order to view the HTTPS request. I have followed following steps in order to create a certificate I own.
1 - Generate a 2048 bit RSA Key: openssl genrsa -des3 -out private.pem
2048
2 - Export the RSA Public Key to a File: openssl rsa -in private.pem
-outform PEM -pubout -out public.pem
3 - Check The public key File (Certificate) Now: less public.pem
4 - Export the RSA Public Key to a File: openssl rsa -in private.pem
-out private_unencrypted.pem -outform PEM -pubout
5 - Check The Private File Now: less private.pem
6 - Copied certificate into certificate directory
7 - Configure certificate by using following command: sudo dpkg-reconfigure ca-certificates
In the end executed all the possible ways available:
mitmproxy -T
Above command open a console application and I accessed all the HTTPs sites but no effect on this window.
And
sudo ssldump -Ad -k cert.pem -p password -i wlo1
This command just printed some handshake stuff in console and after that terminated. But, nothing is related to URL.
And
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 1024
sudo sslstrip -l 1024
This commands keep on listening but, nothing comes out as a result in sslstrip.log file.
I am using all these things with Ubuntu 15 and want to dump ssl request in transparent mode i.e. without setting up proxy on client's machine.

mod_nss with Apache public Certificate issue

I have replaced mod_ssl with mod_nss for FIPS cryptography and it works great with Apache but now we have wildcard certificate which i want to import into NSS database but i don't know how do i import certificate private key?
I am using following command
certutil -A -d /etc/httpd/alias/ -n "GlobalSign" -t "CT,," -a -i wildcard_domain.crt
How do i import private key? or is there something i am missing?
[root#web01 ~]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
cacert CTu,Cu,Cu
Server-Cert u,u,u
GlobalSign-Intermediate CT,,
GlobalSign CTu,u,u
alpha
u,pu,u
solution:
Convert crt file in PEM format
create pem file from original certificate.
openssl x509 -inform PEM -in ./ssl.crt/example.com.GlobalSign-2010.crt > /root/example.com.GlobalSign-2010.pem
openssl x509 -inform PEM -in ./ssl.crt/intermediate.GlobalSign.crt > /root/intermediate.GlobalSign.crt.pem
Concatenate PEM certificate in single file, Root crt and Chain crt.
cat /root/example.com.GlobalSign-2010.pem /root/intermediate.GlobalSign.crt.pem > /root/example.com-GlogalSign-2010.pem
Export PEM cert and private key in PKCS12 format
openssl pkcs12 -export -in example.com-GlogalSign-2010.pem -inkey ./ssl.key/example.com.GlobalSign.key -out /root/example.com-Globalsign.p12 -name Example-GlobalSign
Import PKCS12 (.p12) certificate in NSS DB
pk12util -i /root/example.com-Globalsign.p12 -d /etc/httpd/alias
You can verify your certificate using following command
certutil -L -d /etc/httpd/alias -n Example-GlobalSign
Notes: put Example-GlobalSign nickname in nss.conf config file and Voila!!

Certificate marked as not exportable

I am trying to make a development certificate chain for myself for some testing for WCF. I'm following the insructions on msdn here: How to: Create Temporary Certificates for Use During Development
Unfortunately the instructions don't work. The private key is not exportable. I have even re-tried it with the "-pe" option to makecert.exe and it still doesn't work. I've tried it while running as an administrator and it doesn't work. In mmc itself when using "export" the first screen where it asks about private keys has the "yes/no" option greyed out, and a message below it that says: "The associated private key is marked as not exportable. Only the certificate can be exported."
Any advice? An updated procedure from MSDN maybe, or another one entirely? All I'm looking for is a cert to use with WCF for some basic testing. This is on Windows 8 Pro, though I doubt that matters.
See this SO answer. I used it for a WCF project a few months ago.
Create Certificate Authority
Create a self-signed certificate (-r), with an exportable private key (-pe), using SHA1 (-r), for signing (-sky signature).
The private key is written to a file (-sv).
makecert -r -pe -n "CN=My Root Authority" -ss CA -sr CurrentUser ^
-a sha1 -sky signature -cy authority -sv CA.pvk CA.cer
(^= allow batch command-line to wrap line)
Create Server Certificate
Create a server certificate, with an exportable private key (-pe), using SHA1 (-a) for key exchange (-sky exchange).
It can be used as an SSL server certificate (-eku 1.3.6.1.5.5.7.3.1).
The issuing certificate is in a file (-ic), as is the key (-iv).
Use a particular crypto provider (-sp, -sy).
makecert -pe -n "CN=fqdn.of.server" -a sha1 -sky Exchange ^
-eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk ^
-sp "Microsoft RSA SChannel Cryptographic Provider" ^
-sy 12 -sv server.pvk server.cer
pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
You then use the .PFX file in your server app (or install it in IIS). Note that, by default, pvk2pfx doesn't apply a password to the output PFX file. You need to use the -po switch for that.
To make all of your client machines trust it, install CA.cer in their certificate stores (in the Trusted Root Authorities store). If you're on a domain, you can use Windows Group Policy to do this globally. If not, you can use the certmgr.msc MMC snapin, or the certutil command-line utility:
certutil -user -addstore Root CA.cer
You could always use openssl to create a self-signed certificate, you'd then just import the certificate into the windows certificate store. It's pretty easy to do from the command line:
openssl genrsa -des3 -out privkey.pem 2048
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
The first line generates the private key and the second line the actual self-signed certificate. There's a Win32 installer available.
For me, it is still to find why option -pe is not working.
Answer given in Make exportable private key with makecert and http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development may help you.
It suggests that to output the private and then generate PFX file using certificate and private key and then import this PFX file.
Try the SSL Diagnostics tool.
You should be able to create your development certificate for IIS without headache:
http://www.softpedia.com/get/Internet/Servers/Server-Tools/SSL-Diagnostics.shtml
And yes, the tool lets you do some diagnostics too.

Couldn't able to connect to APNS Sandbox server

I am trying to connect to Apple APNS server with the following observations:
1)port 2195 is open 2)With Valid key passphrase for APNS_SSLCertificate_Key.pem 3)Entrust certificate (2048) downloaded from https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer
4)With the successful telnet response as below :
$ telnet gateway.sandbox.push.apple.com 2195 Trying 17.172.232.226...
Connected to gateway.sandbox.push-apple.com.akadns.net. Escape
character is '^]'.
But when i run the following openssl command in my server to test the APNS connectivity :
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert APNS_SSLCertificate_Key.pem -debug -showcerts -CAfile server-ca-cert.pem
I am getting error as follows:
unable to load certificate 57013:error:0906D06C:PEM
routines:PEM_read_bio:no start
line:/SourceCache/OpenSSL098/OpenSSL098-35/src/crypto/pem/pem_lib.c:650:Expecting:
TRUSTED CERTIFICATE
So please suggest how to resolve this problem
Thanks in advance ......
I ran into this same issue; what eventually resolved the error was to re-export the Entrust certificate from System Roots of OS/X Keychain Access application.
To be complete, I'll give a complete explanation of how I created the key/cert files (something which should have been in Apple's TechNote 2265: https://developer.apple.com/library/content/technotes/tn2265/_index.html)
Creating your APN-cert-and-key:
Run Keychain Access; select "login" Keychain and "My Certificates" category
Select the certificate with the name format of "Apple Development IOS Push Services: ..."
Export the certificate (in the menu, under "File" .. "Export Items")
Export to .p12 format.
This now contains your certificate and private key in an encrypted interchange format. The next step is to convert it to a passphrase protected .pem file
Using terminal, execute the following command (using your own filenames, of course):
openssl pkcs12 -in PushCertKey.p12 -out PushCertKey.pem
(You will need to enter the password for the .p12 file and provide another passphrase for the .pem file.)
If you really really really don't want a passphrase on the .pem file, try:
openssl pkcs12 -in PushCertKey.p12 -out PushCertKeyNoCrypt.pem -nodes
Creating CA Certificate file:
List item
Run Keychain Access application
Go to System Roots
Export the certificate named "Entrust.net Certification Authority (2048)" to a .pem file.
Note: My Roots container has four Entrust certificates; two of them with the name "Entrust.net Certification Authority (2048)" (but with different certificate extensions, via Get Info). Both of the "Entrust.net Certification Authority (2048)" certificates where effective in validating the trust chain; the other two Entrust certificates did not work. More significantly, the Entrust certificate pointed at by the Apple TechNote 2265 also does not work.
Make sure you export to .pem format; the default is .cer and this step is easy to miss.
Run the verification command:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushCertKey.pem -debug -showcerts -CAfile "Entrust.net Certification Authority (2048).pem"
This server and process assume that your are connecting to Apple's Dev sandbox APN server; if you are trying to use the production APN server, you will need to use the correct server and port.
For more information on openssl, I suggest the following pages:
https://www.madboa.com/geek/openssl/
https://www.sslshopper.com/article-most-common-openssl-commands.html
http://gagravarr.org/writing/openssl-certs/general.shtml
SSL problems: Step wise fix.
Most of the problems are due to the private key issues, which can be resolved as follows.
Follow the following commands and create the .p12 using openssl.
You will need
developer_identity.cer <= download from Apple
mykey.p12 <= Your private key
Run these commands in your terminal where openssl is configured,installed or working:
openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM
openssl pkcs12 -nocerts -in mykey.p12 -out mykey.pem
openssl pkcs12 -export -inkey mykey.pem -in developer_identity.pem -out iphone_dev.p12
Final p12 that you will require is iphone_dev.p12 file and the passphrase that you had set.
Try again, hope your problem is fixed, as it always does for me. :)