openssh to tinyssh key conversion utility doesn't work

bananabrain · 2020-11-20 19:25:34

Utility is called "tinyssh-convert".

Is anyone using it? It should do exactly what I want but I cant get it to work.

# tinyssh-convert -f ./.ssh/id_ed25519  -d /root

The observed key format did not match the specification.

I don't know what that means.

So I tried the git version from the AUR. Same result.

Then I looked on github. Not much information there except to
find the author stopped developing it four years ago and advises
using "tinyssh-keyconvert" instead, which he's written with python,
and is also in the AUR...

# tinyssh-keyconvert -d /root/ -f /root/.ssh/id_ed25519

ValueError: Cipher is not b'none'!

Is that some sort of python-speak?

With verbosity turned on...

# tinyssh-keyconvert -v -d /root/ -f /root/.ssh/id_ed25519

Traceback (most recent call last):
  File "/usr/bin/tinyssh-keyconvert", line 47, in <module>
    key = opensshkey.OpenSSHKey(keybuf)
  File "/usr/lib/python3.8/site-packages/tinyssh_keyconvert/opensshkey.py", line 14, in __init__
    raise ValueError("Cipher is not b'none'!")
ValueError: Cipher is not b'none'!

I may be doing somethig stupid. Wouldn't be the first time.
I'm pretty sure I've followed the very sparse advice on how to
use it though.

If anyone can help i'll be grateful.

qinohe · 2020-11-21 16:49:36

Have never used it... but, looking at he code ; opensshkey.py
The author gives info for the statement giving you the 'error'

# cipher and kdf need to be 'none', i.e. the key must not be encrypted
if keybuf.readString() != b"none":
   raise ValueError("Cipher is not b'none'!")
....

Your key may be unreadable , modded?
This may help you a little further.

bananabrain · 2020-11-21 20:07:56

I'm very grateful to you for taking a look.

I can see why you'd suggest faulty keys, especially since these key conversion utilities work just fine on the host keys in /etc/ssh.

They were created thus:

ssh-keygen -t ed25519 -C "$(whoami)@$(uname -n)_$(date -I)"

...so should be ok I think.

I removed the new python tinyssh-keyconvert and reverted back to the old tinyssh-convert package because that progam appears to be called directly from hook

/usr/lib/initcpio/install/tinyssh

...which comes in package "mkinitcpio-tinyssh"

It still doesn't work though. In fact, it looks to me like that hook should create a directory

/etc/tinyssh/sshkeydir

...then convert the system host keys to tinnyssh format and copy them into there, but that isn't happening on my box either.

It seems odd that the script is calling on a utility four years abandoned when the same author has replaced it with a better version.

Anyway, I have no more hair left to tear out. Maybe Felix will have a look, but this is a sparsely used package and he seems to be one of the busiest men in the world.

Thanks again.

qinohe · 2020-11-21 20:34:32

Hmm, okay so root keys are working..
Try and create a new pair but don't put a password on it(empty) and now convert your key with 'tinyssh-keyconvert'
Do you now get the file you need?

bananabrain · 2020-11-21 21:49:14

Yes I do!

I feel suitably dumb for not making the intuitively obvious mental jump to conclude the keys are unreadable (as you suggested above) after being passworded.

This now seems like a good idea, flawed... The only way you can copy your openssh keys into tinyssh format is if none of them are password protected?

I suppose it'll have to be a seperate key pair for the dmcrypt unlock...

There's still the issue of the malfunctioning tinyssh hook, but I should be able to sort that out manually.

Thanks again, very much.

Edit: ...or dropbear??

Last edited by bananabrain (2020-11-21 21:50:40)

bananabrain · 2020-11-22 02:38:58

In case this is helpful to anyone...

I never found out why tinyssh wouldn't convert the server host keys. Documentation around tinyssh is woeful (although the issue is probably in the arch hook).

Dropbear also doesn't support passworded private keys. It does come with its own key converter, but that didn't work either because been broken in being unable to convert recent openssh private keys until they've been converted or renewed with PEM format, so all client ~/.ssh/known_hosts files will need editing. Dropbear has also been deliberately crippled to no longer support ecdsa keys, so the install hook conversion process balks all over the screen.

I've created rsa keys to do the unlocking, leaving the existing ed25519 for actual login, which wouldn't have been possible with tinyssh because it only supports the latter.

This has been an almighty ball ache. I'm sure when I did it a few years ago it was really easy. It's working beautifully now though. I'm glad I'm not a proper software person like some of you guys or I'd have lobbed myself off the pont neuf years ago.

Thanks qinohe.

qinohe · 2020-11-22 17:31:30

Your welcome, I really don't want 'to step on your toes' but I think you need to read the wiki pages more attentively, I know, we all don't now and then..;)
Seeing your previous post https://bbs.archlinux.org/viewtopic.php?id=260828, the wiki you point to contains info you could have known for the above problem.
I can't do any suggestions on what you should do or not with both problems other than; read them wiki's again the answer(solution) for both may be there.

Arch Linux

#1 2020-11-20 19:25:34

openssh to tinyssh key conversion utility doesn't work

#2 2020-11-21 16:49:36

Re: openssh to tinyssh key conversion utility doesn't work

#3 2020-11-21 20:07:56

Re: openssh to tinyssh key conversion utility doesn't work

#4 2020-11-21 20:34:32

Re: openssh to tinyssh key conversion utility doesn't work

#5 2020-11-21 21:49:14

Re: openssh to tinyssh key conversion utility doesn't work

#6 2020-11-22 02:38:58

Re: openssh to tinyssh key conversion utility doesn't work

#7 2020-11-22 17:31:30

Re: openssh to tinyssh key conversion utility doesn't work

Board footer