4

When I exported my private key in PuttyGen, I assumed that the passphrase I set was also used on the openSSH version. I'm finding that the passphrase I put in isn't working. What's the right way to export my private key in openSSH format with a passphrase?

To transfer the exported ssh key to linux, I just pasted it into nano, and tried to ssh-add it. It prompts me for a passphrase, but doesn't accept the one I gave it. PuttyGen imports it fine with that passphrase tho..

B T
  • 741
  • 3
  • 13
  • 28
  • Try to rephrase your question, using terms "password" and "passphrase" correctly. You seem mistake one for another, making your question hard to follow. – Martin Prikryl Apr 17 '15 at 06:17

1 Answers1

1

The Windows PuTTYgen's "Export OpenSSH key" does encrypt the key with 3DES-CBC. If the passphrase is non-empty, the output file says so:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,157A04D5AE43F45B

NiGUXnTOhATzg4dGvyXs8rzetF7KpplJJIKrZvQunXuVcZhVS+NTpnTgwJb+zOCm
...

I've tested this on various versions over the past 4 years. If the passphrase is empty, I even get an "Are you sure?" prompt.

The Linux puttygen also always uses the same passphrase when converting.

For RSA & DSA keys, OpenSSH uses the same 'raw' key format as OpenSSL. So if 3DES-CBC is not sufficient, you can use the openssl command-line tool to reencrypt them:

openssl rsa -aes-128-cbc < old.key > new.key

On Unix of course OpenSSH's own ssh-keygen is better:

ssh-keygen -p -f old.key
u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • So the strange thing is that if I export the key, copy it to a centos machine, and do an ssh-add, it asks for the passphrase and when i put it in, it tells me its incorrect. If i press enter when it prompts me, it quits without comment - which i was taking to be passwordless entry. I can see via ssh-add -l that no keys have been loaded. So why is my key's password not working? – B T Apr 16 '15 at 22:00
  • Is whitespace important before or after the "begin/end RSA private key" parts? The way I created my key was just to paste it in nano. – B T Apr 16 '15 at 23:28
  • @BT: Yes; you can have empty lines and stuff around the whole key, but not inside the key. – u1686_grawity Apr 17 '15 at 18:27
  • Hm, thats what I thought. Very strange.. – B T Apr 22 '15 at 03:31
  • @BT In particular all line breaks within the dash-BEGIN to dash-END block must remain the same, including exactly one blank line between DEK-Info and the first base64. Does `openssl rsa – dave_thompson_085 May 01 '15 at 12:27