-
Notifications
You must be signed in to change notification settings - Fork 406
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dropbearkey: save a public key file .pub #267
Conversation
Now I think we can just leave saving of the .pub file but don't print it when -y. A typical OpenWrt script generates a key and then use -y to store a public key. That means that it can override the generated .pub with comment. Not a big deal. Also newer scripts versions won't make a separate -y if the .pub exists. One day the Dropbear may switch to openssh key format and we will store and print the comment in -y. Maybe we can also add the -l flag to print a fingerprint but not sure if anyone need it at all. The ECC keys are so small that it easier to fully show them instead of a fingerprint. Please let me know what are you think. |
I updated the PR. The old code I pushed to https://github.com/stokito/dropbear/tree/dbkey-print-pub |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Outputting .pub files is something I've wanted for a while but haven't got round to. I think it should be OK in terms of compatibility, just a couple of small comments.
The OpenSSH keygen stores the key comment into a private key. The Dropbear key format is simpler and can't do that. But we can store/print it to a public key. The option also improves compatibility with scripts developed for OpenSSH keygen. Signed-off-by: Sergey Ponomarev <[email protected]>
The OpenSSH keygen stores the public part of a new key to a .pub file. Make the DropBear behave same. Signed-off-by: Sergey Ponomarev <[email protected]>
I fixed your suggestions, added a comment, improved description of commits. |
Ah yes, I'll change it to use |
dprintf() was only introduced in posix 2008 so won't be supported by older platforms. gnulib suggests: https://www.gnu.org/software/gnulib/manual/html_node/dprintf.html This function is missing on many non-glibc platforms: Mac OS X 10.5, FreeBSD 6.0, NetBSD 5.0, OpenBSD 3.8, Minix 3.1.8, AIX 5.1, HP-UX 11, IRIX 6.5, Solaris 11.3, Cygwin 1.5.x, mingw, MSVC 14.
Thanks! |
For a better interoperability with OpenSSH I want to have their interface working similarly.
When generating a key with ssh-keygen it saves the identity file e.g. id_rsa and its public key id_rsa.pub. To get a public key a user can just
cat id_rsa.pub
.But the dropbearkey stores only the identity file.
When you need to get a public key you can execute
dropbearkey -y
and it will extract a public key from the private. It also prints a fingerprint of the key.In many scripts and tutorials it is removed with
dropbearkey -y -f ~/.ssh/id_ed25519 | grep "^ssh-"
The
ssh-keygen -y
behaves similarly but it doesn't print a fingerprint but only a raw pubkey. You can use a separate commandssh -l
to print a fingerprint.Also the
ssh-keygen -C comment
allows to specify an email for the key. The comment is saved in both private and public keys.The dropbearkey generates a comment on the fly and a user can't specify the comment.
I wanted to check how to resolve the issues and the PR is a result of my attempt. I don't like the result but still I decided to share it. Maybe you also had an intention to work with the problem or someone needs this functionality.
The PR works as follows:
0. During a key generation a user can specify a comment with the
-C
..pub
file. The.pub
file is exactly same as for ssh-keygen e.g. it has a comment and without a fingerprint.dropbearkey -y
check if the.pub
file exists and if yes then print it. If it doesn't exists then work as before and extract a public key from the private key. This is breaking change because the.pub
file doesn't have the fingerprint. In the same time its output is the same as forssh-keygen -y
.To avoid conflicts we can add a condition if the program was dropbearkey then don't generate the
.pub
but ifdropbear ssh-keygen
then generate it.Please feel free to close the PR. We can keep it for a history purposes if anyone is looking for the same functionality.