dropbearkey: save a public key file .pub #267
Conversation
|
Now I think we can just leave saving of the .pub file but don't print it when -y. A typical OpenWrt script generates a key and then use -y to store a public key. That means that it can override the generated .pub with comment. Not a big deal. Also newer scripts versions won't make a separate -y if the .pub exists. One day the Dropbear may switch to openssh key format and we will store and print the comment in -y. Maybe we can also add the -l flag to print a fingerprint but not sure if anyone need it at all. The ECC keys are so small that it easier to fully show them instead of a fingerprint. Please let me know what are you think. |
|
I updated the PR. The old code I pushed to https://github.com/stokito/dropbear/tree/dbkey-print-pub |
The OpenSSH keygen stores the key comment into a private key. The Dropbear key format is simpler and can't do that. But we can store/print it to a public key. The option also improves compatibility with scripts developed for OpenSSH keygen. Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
The OpenSSH keygen stores the public part of a new key to a .pub file. Make the DropBear behave same. Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
|
I fixed your suggestions, added a comment, improved description of commits. |
|
Ah yes, I'll change it to use |
dprintf() was only introduced in posix 2008 so won't be supported by older platforms. gnulib suggests: https://www.gnu.org/software/gnulib/manual/html_node/dprintf.html This function is missing on many non-glibc platforms: Mac OS X 10.5, FreeBSD 6.0, NetBSD 5.0, OpenBSD 3.8, Minix 3.1.8, AIX 5.1, HP-UX 11, IRIX 6.5, Solaris 11.3, Cygwin 1.5.x, mingw, MSVC 14.
|
Thanks! |
For a better interoperability with OpenSSH I want to have their interface working similarly.
When generating a key with ssh-keygen it saves the identity file e.g. id_rsa and its public key id_rsa.pub. To get a public key a user can just
cat id_rsa.pub.But the dropbearkey stores only the identity file.
When you need to get a public key you can execute
dropbearkey -yand it will extract a public key from the private. It also prints a fingerprint of the key.In many scripts and tutorials it is removed with
dropbearkey -y -f ~/.ssh/id_ed25519 | grep "^ssh-"The
ssh-keygen -ybehaves similarly but it doesn't print a fingerprint but only a raw pubkey. You can use a separate commandssh -lto print a fingerprint.Also the
ssh-keygen -C commentallows to specify an email for the key. The comment is saved in both private and public keys.The dropbearkey generates a comment on the fly and a user can't specify the comment.
I wanted to check how to resolve the issues and the PR is a result of my attempt. I don't like the result but still I decided to share it. Maybe you also had an intention to work with the problem or someone needs this functionality.
The PR works as follows:
0. During a key generation a user can specify a comment with the
-C..pubfile. The.pubfile is exactly same as for ssh-keygen e.g. it has a comment and without a fingerprint.dropbearkey -ycheck if the.pubfile exists and if yes then print it. If it doesn't exists then work as before and extract a public key from the private key. This is breaking change because the.pubfile doesn't have the fingerprint. In the same time its output is the same as forssh-keygen -y.To avoid conflicts we can add a condition if the program was dropbearkey then don't generate the
.pubbut ifdropbear ssh-keygenthen generate it.Please feel free to close the PR. We can keep it for a history purposes if anyone is looking for the same functionality.