« Tired of Geek Talk | Main | Where was this MySQL option when I needed it? »

April 7, 2006

My SSH Private Key is in a Proprietary Format?

I am most annoyed (two days in a row now). I recently switched laptops, from an Apple PowerBook to an assigned Dell with Windows XP. I got a license and installed SecureCRT for getting access to our servers. Everything at work is done with SSH keys (no passwords) so I went through the process of generating a private and public key in SecureCRT. The public keys were propogated around to all the servers to give me access.

Today I was trying to do something with a few somewhat large log files and found that my laptop didn't have the space to handle them. So my brilliiant idea is to put my private key on a different machine (of course this is experimental because I'm not an SSH or key guru so I'm not even sure it would work, but I want to try).

So I get the private key onto another box and when I run it I get a command-line asking for my private key password. I enter the password just as in SecureCRT but it is not accepted.

I stumble into this response to someone trying to do the same thing on a forum:

The problem that you are seeing is due in part to the way the SSH draft defines keys. The public key format is well defined and standardized by the IETF draft, whereas the private key format is not.

The private key format was not defined specifically, but left to the individual developers. Because of this, each developer writes their private key in a format that meets their needs. This means that the private keys are not going to be readable by another developers software.

With OpenSSH, we have the ability to read both the public and private keys because the format is known. This means that SecureCRT can use both the public and private keys generated by OpenSSH. But SecureCRT can not export to OpenSSH.

We have had people request this ability to be added to SecureCRT. If you would like to be notified if a version of SecureCRT is released with this ability, please send an email to Support@vandyke.com with a subject of Attn: Shannon Re: Forum Thread #3919

Please include your contact information so that we can contact you when a version of SecureCRT that has the ability to export/import public and private keys becomes available.

The forum member responds with:

Is there a description of SecureCRT private key file format available? In case of this document its easy to write converter without waiting for future releases.

The SecureCRT folks respond with:

Unfortunately, this is not an option. The format of SecureCRT's key is proprietary . . . the conversion tool is currently being considered for possible inclusion in a future release of SecureCRT. We would be glad to let you know if it becomes available!

I can't believe that, the key format is proprietary?

I can see the key, it looks a lot like an OpenSSH key with a few additional pieces of information:

---- BEGIN VAN DYKE SSH2 PRIVATE KEY ----
Subject: Mike Kruckenberg
Comment: "Mike Kruckenberg"
ModBitSize: 1024
<actual key snipped>
---- END VAN DYKE SSH2 PRIVATE KEY ----

I have tried to remove those extra lines but still the same thing.

So I'm annoyed that they think the key I generated is somehow theirs, and am left to do more research (perhaps using OpenSSH trying to move from a different server to a different server). Perhaps moving private keys is just not allowed, but I want to know for sure before I give up on the idea of reusing my private key.

Update: I succesfully moved a private key between a Mac OSX and a Linux box (both generated with OpenSSH) and had no problems with login using the private key generated on another box. Further information on this is found on this forum.

Posted by mike at April 7, 2006 5:44 PM