Support @openssh.com ciphers for ssh keys #8964
Comments
|
How exactly did you generate the key? |
|
I used |
|
I just did that and everything worked fine |
|
Yeah. I tried with a test key that I freshly generated and did not run into the issue. I think that the problem is that I was importing the key after exporting it from 1password. I am not sure how to debug what about the export with password process resulted in this issue. |
|
It isn't something we would fix because the error shown is likely due to a key format error. You will probably have to convert the key into a proper format to be used in KeePassXC. |
|
The key I exported from 1password worked when I directly used it with openssh, though. |
|
@droidmonkey I took a look at the base64-encoded data and saw that the key I had generated was encrypted with When I looked at the manpage for I also saw this when looking at the list of ciphers in the openssh source code. When I tried doing |
droidmonkey
changed the title
|
Also, after I modified the cipher detection to use size_t GCM_Decryption::process(uint8_t buf[], size_t sz)
{
BOTAN_ARG_CHECK(sz % update_granularity() == 0, "Invalid buffer size");
m_ghash->update(buf, sz);
m_ctr->cipher(buf, buf, sz);
return sz;
} |
|
Likely because this is some custom format that openssh invented because why do standards right? |
|
It looks like this is an official standard. Or at least, there is a spec/doc from NIST on the GCM mode for AES. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf And Intel + Microsoft have support for it in some of their APIs. |
|
GCM is a standard, but clearly it's "special" in openssh land |
|
I suppose this depends on how easy it is to support this with botan. |
|
It looks like this will require botan changes first. There would need to be some way of telling it to just use block size as the update granularity instead of multiplying by |
|
randombit/botan#3168 just merged, so botan has the necessary fixes. However, the changes will be in 3.0, so the full fix would have to wait (at least) until it is released. |
|
Nice! |
|
Woops closed through PR merge |
* Fix detecting AES-256/GCM cipher, fixes keepassxreboot#8964 When you generate a ssh key using the aes-256/gcm cipher, the cipher name in the keyfile includes an @openssh.com at the end. * Use separate iv length for getting iv data, the assumption that the block size and iv size are equal does not hold for every cipher mode (e.g., GCM) * Disable AES-256/GCM for now in ssh keys Currently, the granularity for the botan gcm implementation is too large. To fix a problem with another algorithm in the library, they are multiplying the blocksize, so by default the granularity is 64. This causes issues since the encrypted data in the key is only guaranteed to have a length that is a multiple of the block size (16).
* Fix detecting AES-256/GCM cipher, fixes keepassxreboot#8964 When you generate a ssh key using the aes-256/gcm cipher, the cipher name in the keyfile includes an @openssh.com at the end. * Use separate iv length for getting iv data, the assumption that the block size and iv size are equal does not hold for every cipher mode (e.g., GCM) * Disable AES-256/GCM for now in ssh keys Currently, the granularity for the botan gcm implementation is too large. To fix a problem with another algorithm in the library, they are multiplying the blocksize, so by default the granularity is 64. This causes issues since the encrypted data in the key is only guaranteed to have a length that is a multiple of the block size (16).
* Fix detecting AES-256/GCM cipher, fixes keepassxreboot#8964 When you generate a ssh key using the aes-256/gcm cipher, the cipher name in the keyfile includes an @openssh.com at the end. * Use separate iv length for getting iv data, the assumption that the block size and iv size are equal does not hold for every cipher mode (e.g., GCM) * Disable AES-256/GCM for now in ssh keys Currently, the granularity for the botan gcm implementation is too large. To fix a problem with another algorithm in the library, they are multiplying the blocksize, so by default the granularity is 64. This causes issues since the encrypted data in the key is only guaranteed to have a length that is a multiple of the block size (16).
* Fix detecting AES-256/GCM cipher, fixes #8964 When you generate a ssh key using the aes-256/gcm cipher, the cipher name in the keyfile includes an @openssh.com at the end. * Use separate iv length for getting iv data, the assumption that the block size and iv size are equal does not hold for every cipher mode (e.g., GCM) * Disable AES-256/GCM for now in ssh keys Currently, the granularity for the botan gcm implementation is too large. To fix a problem with another algorithm in the library, they are multiplying the blocksize, so by default the granularity is 64. This causes issues since the encrypted data in the key is only guaranteed to have a length that is a multiple of the block size (16).
Overview
Cannot add password-protected ed25519 key
Steps to Reproduce
Add to agentbuttonExpected Behavior
Private keyfile is accepted
Actual Behavior
Error popup
Unknown cipher: aes-256gcm@openssh.comContext
KeePassXC - Version 2.7.4
Revision: 63b2394
Operating System: Linux
Desktop Env: Gnome
Windowing System: Wayland
The text was updated successfully, but these errors were encountered: