发表安全3 分钟读完 (大约405个字)0次访问

ssh-keygen生成PEM格式密钥

一、背景

使用JGIT且用git协议连接时,报密钥格式错误。通过Debug发现是JSCH不支持OPENSSH格式私钥。更换为PEM格式私钥后解决。

二、JSCH不支持OPENSSH格式私钥

JSCH源码位置:com.jcraft.jsch.KeyPair#load(com.jcraft.jsch.JSch, byte[], byte[]),关键代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
while (i < len) {
    if (buf[i] == 'B' && i + 3 < len && buf[i + 1] == 'E' && buf[i + 2] == 'G' && buf[i + 3] == 'I') {
        i += 6;
        if (i + 2 >= len)
            throw new JSchException("invalid privatekey: " + prvkey);
        if (buf[i] == 'D' && buf[i + 1] == 'S' && buf[i + 2] == 'A') {
            type = DSA;
        } else if (buf[i] == 'R' && buf[i + 1] == 'S' && buf[i + 2] == 'A') {
            type = RSA;
        } else if (buf[i] == 'E' && buf[i + 1] == 'C') {
            type = ECDSA;
        } else if (buf[i] == 'S' && buf[i + 1] == 'S' && buf[i + 2] == 'H') { // FSecure
            type = UNKNOWN;
            vendor = VENDOR_FSECURE;
        } else if (i + 6 < len &&
                   buf[i] == 'P' && buf[i + 1] == 'R' &&
                   buf[i + 2] == 'I' && buf[i + 3] == 'V' &&
                   buf[i + 4] == 'A' && buf[i + 5] == 'T' && buf[i + 6] == 'E') {
            type = UNKNOWN;
            vendor = VENDOR_PKCS8;
            encrypted = false;
            i += 3;
        } else if (i + 8 < len &&
                   buf[i] == 'E' && buf[i + 1] == 'N' &&
                   buf[i + 2] == 'C' && buf[i + 3] == 'R' &&
                   buf[i + 4] == 'Y' && buf[i + 5] == 'P' && buf[i + 6] == 'T' &&
                   buf[i + 7] == 'E' && buf[i + 8] == 'D') {
            type = UNKNOWN;
            vendor = VENDOR_PKCS8;
            i += 5;
        } else {
            throw new JSchException("invalid privatekey: " + prvkey);
        }
        i += 3;
        continue;
    }
    ...
}

从源码中可看出JSCH不支持OPENSSH格式,该格式以*—–BEGIN OPENSSH PRIVATE KEY—–*为起始。

三、ssh-keygen Man Page

ssh-keygen升级后默认生成OPENSSH格式私钥,之前是PEM。

1
2
3
4
ssh-keygen will by default write keys in an OpenSSH-specific
     format.  This format is preferred as it offers better protection
     for keys at rest as well as allowing storage of key comments within
     the private key file itself.
私钥类型 私钥前缀
PEM —–BEGIN RSA PRIVATE KEY—–
OPENSSH —–BEGIN OPENSSH PRIVATE KEY—–

四、ssh-keygen生成PEM格式密钥

1
ssh-keygen -t rsa -m PEM

# 参考

  1. https://man7.org/linux/man-pages/man1/ssh-keygen.1.html
  2. https://docs.oracle.com/en/cloud/paas/integration-cloud/ftp-adapter/generate-keys-pem-format.html

评论

×