Convert Ed25519 to RSA fingerprint (or how to find SSH fingerprint) - ssh

BizTalk sees thumbprint for an internal SFTP test as
ssh-rsa 2048 33:88:f0:ff:63:78:a9:2b:3f:09:cb:05:81:db:59:86
WinSCP shows: ssh-ed25519 256 ff:2e:5e:33:7a:15:de:69:18:cf:82:ae:f0:4e:7b:d2
(when I click "Session", then "Server/Protocol Information")
Is it possible to convert one to the other?
Is it possible to get the ssh-rsa thumbprint from WinSCP, PuTTY or some other tool?

WinSCP uses Ed25519 host key. It's a different key, than the RSA host key used by BizTalk. You cannot convert one to another.
WinSCP defaults to Ed25519 hostkey as that's preferred over RSA. You can only make WinSCP use RSA using raw session settings HostKey.
Alternativelly, if you can connect with SSH terminal (e.g. PuTTY) to the server, use ssh-keygen to display a fingerprint of the RSA host key:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
(this assumes common *nix server with OpenSSH)
Note that this makes sense only, if you had verified the host key, that the SSH terminal uses, upfront.
See WinSCP FAQ on Where do I get SSH host key fingerprint to authorize the server?, which covers all this.

ssh-rsa 2048 33:88:f0:ff:63:78:a9:2b:3f:09:cb:05:81:db:59:86
and
ssh-ed25519 256 ff:2e:5e:33:7a:15:de:69:18:cf:82:ae:f0:4e:7b:d2
Are same fingerprint types, but different key types (one is RSA and the other ED25519 -- elliptic curve). There is no way one to the other, because they are fingerprints of different keys.

Related

How can I obtain the known_hosts formatted public key value for ec2 instance ssh-key?

AWS outputs this key line 2048 SHA256:2p2o3eIz/XxxX6IIegXx5FkHo3Lap7xR+Ue2qJ0zV4w root#ip-****** (RSA) to the system log. How can I replicate this format for the ssh-rsa key from the command line? I was scraping the logs until I realized that you can't rely on ec2's console-log fetching command because it's buffered and only stores a small amount of the output.
To clarify the ssh-key file in question is a PEM style file with the beginning and ending tags for a base64 encoded ----RSA PRIVATE KEY----
If it's helpful to know the ssh-rsa line value for the public key is base64 encoded.
I've tried...
sudo ssh-keygen -E md5 -lf /etc/ssh/ssh_host_rsa_key
2048 MD5:10:b6:fd:21:fb:f4:ca:6b:ef:15:50:15:af:8b:5a:5d root#ip-****** (RSA)
and
sudo ssh-keygen -lf /etc/ssh/ssh_host_rsa_key
2048 SHA256:2p2o3eIz/XxxX6IIegXx5FkHo3Lap7xR+Ue2qJ0zV4w root#ip-****** (RSA)
But neither produce output looking
-----BEGIN SSH HOST KEY KEYS-----
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7+hIGwj+cfT6tLdaVuUewnY/NwoQUdAaLw30auAHQS1B/HAEEJ+f+iLjC7JM2IV00Pgbt1trttRmaApghwkB75h0NXArxrfcHTKKV2FO0d8slO9HwDUMbLOEN+L5H0/T0Xtq9u1vnOz2LyMb5KeIywa0HXZ6bGqt1rYCV3Qi369+FUrtTFw8jo8Y21LmqHVltd/d7Kv40Hb3jzqAOCh3jtZ3bilenMA9pAtXM+XJP54oS6z0NutDJLU2n1DVg2q+5wwjJJqljgYg98t5Xj8VmGlWrtam6FMcaSJ77UwMyxLsSe/Ow7DYGAMrd6PLY5RA1stj4W0WYeB8IOSgyGWPf root#ip-******
-----END SSH HOST KEY KEYS-----
I had an ah-ha moment.
You can just use ssh-keyscan -t rsa localhost to generate the known_hosts key entry for the rsa public key of the server. Since I'm logging into the ec2 instance now instead of trying to scrape the logs I can just trust the results.

How to gpg encrypt with ssh public key?

I have a public key in a file called key.pub, and the contents look like:
ssh-rsa AAAAB...<snip>...t+f klahnakoski
I would like to to use it to encrypt a file with gpg. What is the sequence of shell commands required?
I imagine the sequence looks something like:
convert key to gpg-friendly format
invent some credentials to sign key with
invent a user to facilitate adding key to keyring
perform the encryption
Thank you!
RSA keys can only be used to encrypt a proportion of their key length. e.g. a 2048 bit RSA key can only be used to encrypt about 245 bytes.
See:
https://security.stackexchange.com/questions/33434/rsa-maximum-bytes-to-encrypt-comparison-to-aes-in-terms-of-security
So to encrypt / decrypt large amounts of data (files) you would use a symmetric key which was encrypted using a public key, not the public key itself.
Also, you wouldn't add a symmetric key to a public SSH key, because the the symmetric key is a secret, and the public SSH key isn't a secret. The symmetric key should be added to the private SSH key.
It goes something like the following:
To convert the file format, install the monkeysphere tool set (Ubuntu)
sudo apt-get install monkeysphere
Use the pem2openpgp tool to convert the private key to gpg format. Pipe to gpg for import.
pem2openpgp userid-ssh#example.com < id_rsa | gpg --import
# Check it's there
gpg --list-secret-keys
Edit the trust level you have in the key.
gpg --edit-key userid-ssh#example.com
gpg> trust
Add the trust level you need (ultimate for example)
The key imported is only suitable for creating certificates, not for signing or encryption.
Encryption
The key is an RSA key and can't be used to encrypt / decrypt large amounts of data. If you want to do that you have to add a symmetric encryption subkey. When you encrypt, GPG will use this subkey rather than the original SSH key.
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 6
Now you can encrypt and decrypt using the identity based on the SSH key.
gpg -vv -r userid-ssh#example.com -e -a unencrypted_file.txt
So how useful is this?
Well, it makes more sense to use GPG to generate and manage your SSH keys as authentication subkeys rather than trying to do it the other way round. In fact it can be integrated into SSH instead of ssh-agent.
Probably ssh-vault could give you some ideas, it follows the same principle of PGP and using the public ssh keys to encrypt the password only.

In what format is the public key of a server stored in the known hosts?

When we ssh to a host, he is either known or not. In the latter case during our first try to connect we are prompted to
The authenticity of host '13x.8x.xx.1x1 (13x.8x.xx.1x1)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:26:86:80:5f:17:xx:xx:xx:xx:6d:6c.
Are you sure you want to continue connecting (yes/no)? yes
Then the server's RSA public Key is stored in the .ssh/know_hosts file. How is it encoded? And how can we ensure that this is not a man-in-the-middle?
Finally, this so-called 'host key' is assymetric. What does this mean?
How can we ensure this is not a man-in-the-middle?
The first time, you can check the RSA fingerprint. Someone needs to previously communicate it to you, or you need to somehow receive it securely (ie published via a https site, or received via a signed email). Many hosting providers, for example, send you your hosts SSH fingerprint.
On Ubuntu, you can find your own RSA fingerprint using:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
Note that there are other in-use fingerprint formats (dsa and ecdsa), depending on the server and client config. In your known_hosts file you can see the format in which each fingerprint has been stored.
How is it encoded?
The known_hosts file is a list of hostnames (or often, hashes of hostnames), the type of the fingerprint, and the fingerprint itself (cryptographic information) in base64 encoding. The format details can be found in the OpenSSH man page, under the SSH_KNOWN_HOSTS FILE FORMAT section.
This so-called 'host key' is asymmetric. What does this mean?
These asymmetric mechanisms mean that while the fingerprint allows you to verify the identity of the server, you cannot use it to generate a valid identification (to impersonate) that server.
It must be noted that the fingerprint (and the corresponding private key) are used as secret for cryptographic operations: a random challenge is sent from the client to the server. The server, which has the private key, can sign that challengue and send it back, then the client can verify the signature is valid because the fingerprint is appropriate.
In other words, the cryptographic secret is two-fold, the private key can cipher or sign, and the public key can be used to decipher or verify a signature. One of the keys can be made public at no risk, and used to verify signatures and to cipher text that only the owner of the private key will be able to decode. This is roughly what asymmetric means in cryptography.

Unable to connect with plink with public/private key's

I am able to connect with Putty with my public/private key without being prompted for the passphrase (or password). I have pageant running in the background.
However, trying to connect with plink won't work (form the same windows machine) :(... It is telling me that the key is refused by the server :(.. See the output below.
Any idea why?
C:\Windows\System32>plink -v -agent -i C:\Users\ed\.ssh\id_rsa.pkk ed#bla.nl
Looking up host "bla.nl"
Connecting to 82.94.165.254 port 22
Server version: SSH-2.0-OpenSSH_4.3
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.62
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-1
Host key fingerprint is:
ssh-rsa 2048 83:15:11:84:8f:d8:f9:3a:16:b0:e4:8d:ef:4c:18:c4
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Reading private key file "C:\Users\ed\.ssh\id_rsa.pkk"
Unable to use this key file (unable to open file)
Unable to use key file "C:\Users\ed\.ssh\id_rsa.pkk" (unable to open file)
Pageant is running. Requesting keys.
Pageant has 1 SSH-2 keys
Using username "ed".
Trying Pageant key #0
Server refused our key
Using SSPI from SECUR32.DLL
Attempting GSSAPI authentication
GSSAPI authentication request refused
ed#bla.nl's password:
The first error message says it's not finding the key file you're trying to pass it. Might the problem be that the name ends in .ppk, not .pkk?

DSA vs RSA: how can you tell

Does anyone have a tool to use in order to differentiate an RSA public key vs a DSA public key? I have two SSH .pub files and i need to know if they're RSA or DSA.
As noted in the other answer, since the file is in SSH.COM format, you can convert to openssh format and just open the file to check for ssh-dsa or ssh-rsa:
To convert your SSH.COM key to OpenSSH format use:
ssh-keygen -i -f ssh_key.pub
From the ssh-keygen manpage
-i This option will read an unencrypted private (or public) key
file in SSH2-compatible format and print an OpenSSH
compatible private (or public) key to stdout. ssh-keygen
also reads the `SECSH Public Key File Format'. This option
allows importing keys from several commercial SSH
implementations.
-f Specifies the filename of the key file.
Source: http://landru.uwaterloo.ca/cgi-bin/wiki.pl?OpenSSH_-_SSH.Com_Interoperability
You can use ssh-keygen to get a fingerprint and type out of a .pub file:
ssh-keygen -lf id_rsa.pub