Does anyone have a tool to use in order to differentiate an RSA public key vs a DSA public key? I have two SSH .pub files and i need to know if they're RSA or DSA.
As noted in the other answer, since the file is in SSH.COM format, you can convert to openssh format and just open the file to check for ssh-dsa or ssh-rsa:
To convert your SSH.COM key to OpenSSH format use:
ssh-keygen -i -f ssh_key.pub
From the ssh-keygen manpage
-i This option will read an unencrypted private (or public) key
file in SSH2-compatible format and print an OpenSSH
compatible private (or public) key to stdout. ssh-keygen
also reads the `SECSH Public Key File Format'. This option
allows importing keys from several commercial SSH
implementations.
-f Specifies the filename of the key file.
Source: http://landru.uwaterloo.ca/cgi-bin/wiki.pl?OpenSSH_-_SSH.Com_Interoperability
You can use ssh-keygen to get a fingerprint and type out of a .pub file:
ssh-keygen -lf id_rsa.pub
Related
I generated a new keypair but it is generating OPENSSH key only. None of the below command generates RSA key.
ssh-keygen
ssh-keygen -t rsa
This just started happening this week. All keys I have generated earlier are RSA keys.
I do not want pem file or Any help?
New keys with OpenSSH private key format can be converted using ssh-keygen utility to the old PEM format.
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa
AWS outputs this key line 2048 SHA256:2p2o3eIz/XxxX6IIegXx5FkHo3Lap7xR+Ue2qJ0zV4w root#ip-****** (RSA) to the system log. How can I replicate this format for the ssh-rsa key from the command line? I was scraping the logs until I realized that you can't rely on ec2's console-log fetching command because it's buffered and only stores a small amount of the output.
To clarify the ssh-key file in question is a PEM style file with the beginning and ending tags for a base64 encoded ----RSA PRIVATE KEY----
If it's helpful to know the ssh-rsa line value for the public key is base64 encoded.
I've tried...
sudo ssh-keygen -E md5 -lf /etc/ssh/ssh_host_rsa_key
2048 MD5:10:b6:fd:21:fb:f4:ca:6b:ef:15:50:15:af:8b:5a:5d root#ip-****** (RSA)
and
sudo ssh-keygen -lf /etc/ssh/ssh_host_rsa_key
2048 SHA256:2p2o3eIz/XxxX6IIegXx5FkHo3Lap7xR+Ue2qJ0zV4w root#ip-****** (RSA)
But neither produce output looking
-----BEGIN SSH HOST KEY KEYS-----
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7+hIGwj+cfT6tLdaVuUewnY/NwoQUdAaLw30auAHQS1B/HAEEJ+f+iLjC7JM2IV00Pgbt1trttRmaApghwkB75h0NXArxrfcHTKKV2FO0d8slO9HwDUMbLOEN+L5H0/T0Xtq9u1vnOz2LyMb5KeIywa0HXZ6bGqt1rYCV3Qi369+FUrtTFw8jo8Y21LmqHVltd/d7Kv40Hb3jzqAOCh3jtZ3bilenMA9pAtXM+XJP54oS6z0NutDJLU2n1DVg2q+5wwjJJqljgYg98t5Xj8VmGlWrtam6FMcaSJ77UwMyxLsSe/Ow7DYGAMrd6PLY5RA1stj4W0WYeB8IOSgyGWPf root#ip-******
-----END SSH HOST KEY KEYS-----
I had an ah-ha moment.
You can just use ssh-keyscan -t rsa localhost to generate the known_hosts key entry for the rsa public key of the server. Since I'm logging into the ec2 instance now instead of trying to scrape the logs I can just trust the results.
$ echo "helloworld" > text.txt
$ cat text.txt
helloworld
$ gpg --cipher-algo AES256 --symmetric --armor text.txt
gpg: gpg-agent is not available in this session
$ ls
text.txt text.txt.asc
$ cat text.txt.asc
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
jA0ECQMCnGyzh+mRmpBg0kgBfcqLbdAhLc+xwZDta3/kudi/f6MmjXUzFUbNFr3H
IoXgqzjRqbeNESHd+nFSTxHQc8tXF80vXMdDzTy3HmD6ZWk3BvVx5Vo=
=EviP
-----END PGP MESSAGE-----
So, how can I avoid adding GPG stuff? I want only the encrypted bytes.
As AES256 is symmetric, I'd like to do something like this:
1. Apply AES with keyA to "file_original.txt" and produce "file_keyA.txt"
2. Apply AES with keyB to "file_keyA.txt" and get "file_keyA_keyB.txt"
3. Apply AES with keyA to "file_keyA_keyB.txt" and get "file_keyB.txt"
4. Apply AES with keyB to "file_keyB" and get "file_original.txt"
So, if I'm A, and want to send "sometext" to my friend B:
I send "sometext" encrypted with GPG with keyA to my friend.
He send back to me his text encrypted with his keyB too.
I decrypt with my keyA and send back to him.
He should apply keyB and get "sometext".
It should be possible if I use gpg with AES and my friend another software or another symmetric algorithm without knowing my keyA. But it's only possible if gpg (or his software) doesn't add stuff to the encrypted file. I want to apply only the algorithm AES, so I can encrypt multiple times with the same key and get the original.
Probably you want to use openssl instead of gnupg. For example:
openssl enc -aes128 -salt -in yyy -out yyy.enc
More information at the manpage: https://www.openssl.org/docs/man1.0.2/apps/enc.html
If you're looking to send an encrypted message to your friend with gpg, without sharing a passphrase that'd be used to decrypt the message, then you probably want to use asymmetric encryption. To do this, you and your friend will each need to generate PGP keys with
gpg --gen-key
then exchange your public keys
gpg -a --export "mykey" > mykey.pub
<trade mykey.pub files>
gpg --import theirkey.pub
then prepare your message for transmission
gpg -e -a -u "my key" -r "their key" --sign -o somefile.txt.gpg somefile.txt
after your friend has the message they'll need to decrypt it with
gpg -d -o somefile.txt somefile.txt.gpg
and they've got the message. GnuPG will generate a strong key, use that key to encrypt the message, then use your friend's key to encrypt that key and attach it to the file. It'll also use your private key to sign the file so your friend can be (reasonably) sure it wasn't tampered with in transit. In this example you can use
gpg --list-keys <or gpg -k>
to find their key handle (it's the bit after "rsa4096/" and before the creation date) to use in the quotes in the -r "their key" part, and
gpg --list-secret-keys <or gpg -K>
to find the handle of your key, to use in the -u "my key" part.
If you're really looking to use symmetric encryption and share a passphrase with your friend, then I'd also recommend openssl, like #pchris suggested.
I use ssh-keygen -t rsa to generate ssh keys, I learned that my private key is saved to the id_rsa file in the .ssh directory, I wonder what mac ox command line that I should use to see what my private keys is? Thank you in advance.
cat ~/.ssh/id_rsa
or
open ~/.ssh/id_rsa
Works the same for id_rsa.pub
I'm trying to access my friend's AWS server via ssh. He's given me the host name as well as a pem file. I'm relatively new to this and am trying to use putty to connect to the login. For him on Windows, he uses the PuttyGen to convert his pem files into ppk files. But on Ubuntu I couldn't find a GUI version for puttygen and tried looking up on converting the pem file to a ppk file but with no luck. Tried converting it using
puttygen myFile.pem -o newFile.ppk
but get an error
puttygen: unable to load file `myFile.pem': not a private key
I've tried the same command with the -O private option at the end but with no luck either. Even if I try to use ssh with the -i option with the pem file itself, it asks me for a passphrase which I don't know and my friend says there is no passphrase.
My friend gave me his ppk file which I tried to use with Putty but it didn't work.
You can tell if the private key is encrypted or not by printing the public key
encrypted key:
$ ssh-keygen -y -f ~/.ssh/test_key_with_passphrase
Enter passphrase:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5kB+0TPMDH/OQ6t/ps67DDJvZzAFF4QyqTYFS3K86bmEz5DeIBtB8kgi3a7ecft6/ooeq+WnuyGvInwNY9GqrO3WDbP4joAqAc6waolEIcs8Nb6iNK+Zhv3O0BfAeXnb5aAztGFfzoBKz6MFGw6Haod3BkZiC40/owG11rjwvb7p4mlHsGrjPpBOGMZ66zPBPuEoFDcCDUnpgh9tNww4Wrzcp+jgZM1MP5ylRCiQE/ssgu3G0zZ3H+5YwRN/XNChomXW74W/yBnp5gAqJZNhiuxTaZBDANXAyiqwrysfzYFgzvTDfyf03aysPAMWkWucmMHxnHz5C649ikSLAOK+h
unencrypted key:
$ ssh-keygen -y -f ~/.ssh/test_key_in_the_clear.pem
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxNX8DHatQQYw05PHcEvwHwKaqDvZUQWG23uUxQSxEiq1crf2j9dPCfzigKcPxIYarTIJ6yvdP6Kl/ONb+OKM7j6dd8ljO5LOs7dsgA5Tr2gaWyjrjmg767VCN2PB6BJZ9xz+p3SGTdFWtUXYtaEPAGocRx09N9kofpecRbRMlnbfHotyK8canGYzzRfimzk/uDAC/CcpeG3YLphj7zhpRaXhgdu/FKcdiTryqgktlZreJEbefeq3CEBM9kmxvr2uDc+QSVnhbcdutTJ4u4DEop0ZuTREZ2tH2HoAVruiJQ7Nd/VP8jz3SD5ySFBzPGiPcNMQ2mOP0cffm55+3CTwT
Once you've worked that out, then ssh with -i to get on to the server, if you are using ubuntu there's no need to bother with putty.
EDIT
Here's what a pem file would normally look like:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,0E109A1A0F7582B0D8B5AAAFDAB18C2A
wzvkuSuXTFTSyKvkmU7bytC6xhNGybkcc9FKH6oCFL802ZnJIUWnqIV7x4vXuDxg
zQFggRxnEqJIPv+gNUCdBMqlKal9XqAVAXw6I2bDKJIymg/UB0ODVzqzxhD1w+fD
a1nArpapqfO2Vgfeb0ABv3yNHXNcsLGpv21wR6JY/SskQQflt59MJ3pdc5nFQ3nE
O0AMiI9YH6dLPOtk5HMGR1s55b6SgHkfiaDoIAqRJd8J9Zrg7qDV0oncQmxYT+A/
ye+5OmXVoRP1SskhhmMFbb84GZ5YSpeIXqFCVaH+Uvifzhxc0La53sZEdJw1QUf/
f1ZIgg+Kysir+HX3Cul6LPz60tzjkZrlhGzPBmwcrM1zM1ehzQqU5dKzp3uAjtP0
NUHMAg5TG8dLv7eaKQAPis6f2vYebjzd538sA5O0EpMuNuWk1/CrchrKxS7ii8Sj
LkD/3hIrpXC4UO1AVJq1+OmbXh3LOCiTh2i+hKhFBS2q8V4cCaW5VbQfup8gyn5K
jOstbx+oCH3OsfoG3Tcr75+TKl1m4jXZmFACzEIQeuiWTA58nbFQDDSQJo9AdC6n
eMnT2vLvZQo2Og1fKfaaHSsh/sfqIqDxQhqCZCT7QB4SAB+CtD5QnzaWkHAqMNHv
RjW9rDdM3/oQxXba0eiCa2XBcI+W9ZU1ItjyqfbP7PJIge4rICTA0EmgZiK8uEjl
opckNqCfCVuAJlFDPJKFA/hh1cA1q+HHNY+YsKu0nj3uWtQb1ihaXTvUbIZk/rub
rNwHT9pxf59lFaIQ6/bTTxEN29m4ocPLmbzLUsAILl5vGKKwqnORypvcQZFPxC8y
xdsSsFwV43EQUpKPlewFa2tj+KDCOtWtFzj7SJrISi5j3/85g2i61eYVSJb28Cl5
cxbKDuDNok9JbA4XUS10zSpJc5y674XBt3VsZB3O4Oap4SpyuobcrvTd9jnhs7eS
KMm+qgtMhzvNs9b5RZAsGyRCThOJX0LNI8AINaF75eThmtqCcW7/Xrij/ZWt0Fs+
p74fqh6YBCfyRe5rwtNEQ+clYivdbkkUqep/6suV8KU/e6SzcmjbMHrrwtgcjji1
1IS8f858IsDoSWtij/gyWcNI945GmN7DbqjwpwajyidGrY0iYm3lzJOG3lR61LCU
hVgt017BZQc5El67RYifMBFgHRUL5W5FgBbOlLBrdYSvvCoTfSvpH1KccY6GcqYJ
mWQd0bfhAkb7s4KSndNUakVNo6FXO2f9o9uRJfLcgyW6WQkxGSpXYySOjY0SpRUS
ep7Zv2/fdjtcXMR9kFV1Hj/qGal9HQ+DE9j9aO9TZ7a3PotMwglPpAgi01EwqVlz
6wLmrWAXc9zdEjk/xCxWfgaFtRYzyVX+2aPsKoMCnVggEsk2z2jSJx8dh3tFsRl7
s2cgtFaAQdatTj3xOyNOP/8q8XBGXEu27QLqjdJOxT8Ngl+OjXt02d+rFVQwWvyn
sXpNz7VQJM4Irh2/ZOs4ySfLmzu46yDp75h3WaAasKVV5PzEQad4Sr8CziKF9WQu
KnJA3jJ0Nu746xDMMHhFibNZ/Day95LRrAi97c4nNPgk8JV6mEHKBRcWFyRmpFo2
-----END RSA PRIVATE KEY-----
If the file doesn't look like that then you dont have a pem file.