I received a public key generated by "SAP SuccessFactors" from someone who needs to connect to an SFTP, but in order for me to import the public key, I need to provide a SHA256 fingerprint.
Apparently "SAP SuccessFactors" can only produce an MD5 fingerprint. I've tried running the command
ssh-keygen -lf <path>.fakekeyname.pub
but I get an error
fakekeyname.pub is not a public key file
In opening up the public key file, the header says
begin ssh2 public key
whereas I'm used to seeing something along the lines of ssh-rsa.
Apologies in advance if this seems immediately obvious, but I would sincerely appreciate some guidance or advice.
Thanks very much!
You can use ssh-keygen. First you would need to convert the file to pem format first
ssh-keygen -i -m PKCS8 -f pubkey.pem > NEWpubkey.pem
Next get the fingerprint
and then you can get the sha256 value from it:
ssh-keygen -lf NEWpubkey.pem
for reference see this post:get SHA256 hash of public key
Edit: For Pub files this could work ssh-keygen -E sha256 -lf sample.pub see How to Calculate Fingerprint From SSH RSA Public Key in Java?
Related
I am trying connect to server using following spinet
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ip = ['x.x.x.x']
key_file = "/Users/user/.ssh/id_rsa"
key = paramiko.RSAKey.from_private_key_file(key_file)
ssh.load_system_host_keys()
ssh.connect(ips, port=22, username='XYZ', pkey=key, timeout=11)
But I am getting an error:
not a valid RSA private key file
I faced a similar situation and ssh-keygen comes to my help. You should make a copy of id_rsa and convert it to RSA type with ssh-keygen.
To Convert "BEGIN OPENSSH PRIVATE KEY" to "BEGIN RSA PRIVATE KEY"
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa
Recent versions of OpenSSH (7.8 and newer) generate keys in new OpenSSH format by default, which starts with:
-----BEGIN OPENSSH PRIVATE KEY-----
That format is fully supported by the Paramiko since version 2.7.1 (2019-12-09) only.
If you are stuck with an older version of Paramiko, you can use ssh-keygen to convert the key to the classic OpenSSH format:
ssh-keygen -p -f file -m pem -P passphrase -N passphrase
(if the key is not encrypted with a passphrase, use "" instead of passphrase)
For Windows users: Note that ssh-keygen.exe is now built-in in Windows 10. And can be downloaded from Microsoft Win32-OpenSSH project for older versions of Windows.
On Windows, you can also use PuTTYgen (from PuTTY package):
Start PuTTYgen
Load the key
Go to Conversions > Export OpenSSH key.
For RSA keys, it will use the classic format.
If you are creating a new key with ssh-keygen, just add -m PEM to generate the new key in the classic format:
ssh-keygen -m PEM
Note that you can get the error, also when you are trying to use a completely different key format, like ssh.com or PuTTY .ppk. Then you will have to convert the key in any case.
For ssh.com format, see Paramiko: "not a valid DSA private key file".
For PuTTY .ppk format, use PuTTYgen as shown above.
The paramiko.RSAKey.from_private_key_file method requires the private key file to be in "PEM" format. Examine the file you're trying to read and see if it begins with a line that says:
-----BEGIN RSA PRIVATE KEY-----
If it doesn't have that line then it's not PEM.
If it's not PEM then you'll have to find some way to create a PEM version of the private key. (EDIT: the original poster used PuTTY's puttygen utility to export the private key into a PEM-format file.)
Make sure that the new file has the same ownership and limited access permissions that the original id_rsa file has, so that nobody can steal the key by reading the file. Then, obviously, modify your paramiko call to read the key from the new PEM-format file.
I have encountered the same error while I was connected with ssh to an Ubuntu VM.
In my terminal SSH_AUTH_SOCK environment variable is not defined, and paramiko throws the not a valid RSA private key file error.
However, if I am connected in a graphical session to the same machine, the graphical terminal has got SSH_AUTH_SOCK defined, and Paramiko is happy.
As a workaround, I have copied the content of SSH_AUTH_SOCK in my SSH terminal and it works better.
As I checked, there was no issue with the path as well permissions(only read permission on the RSA file will work), so the problem was with the Paramiko version.
I updated it using the below command and it resolved the issue for me.
pip3 install paramiko update
I generated a key pair using GPG by following command in Debian 8.
gpg --gen-key
I left the passphrase step of key generation empty and just hit the Enter key. After that, I exported private and public key using following commands.
gpg --export-secret-key -a "X" > private.key
gpg --export-key -a "X" > public.key
Then I tried to encrypt a folder using the private key. It was successful and without asking any passphrase the encrypted file was generated.
But When I transferred the public key to another computer with Ubuntu OS 14.04 and import it using following command, gpg requested passphrase. Even, by giving empty passphrase to gpg, it says that passphrase is incorrect.
gpg --import public.key
Furthermore, when I imported the private key in the second computer for encryption, it asks me passphrase again.
Does anyone have any idea what is the problem?
There is no need to export and import keys. Just copy the key files located in ~/.ssh/ on your source machine to the other system.
It was because there exist other keyring in second system before. Indeed, it is required to clear all keys before import
I have a lot of files that are encrypted with gpg in a lot of directories. So I want to use gpgdir command to decrypt recursively all files in all directories.
The problem is in the use of gpgdir. I installed it correctly and I set the correct defualt key id in my conf file using gpg --list-keys to find the id. But when I use the command
gpgdir -decrypt <directory>
the console gives me back
[+] Executing: gpgdir -decrypt <directory>
Using GnuPG key: 3662FD5E
Password:
I don't know what password I must insert to decrypt the files. I tried with the admin password but doesn't work.
Someone can help me?
Thanks!!
Our system has Java and C parts. On the C side, we are signing certain data using command-line scripts calling OpenSSL commands. Now we want to sign some JARs too. We already have established PKI (what is important for this case - private keys are accessible) "on the C side" and we try to avoid duplicating/extending that to the Java side.
What would be an easy way to get the JAR signed for someone who does not want to have JRE (but has OpenSSL)? I.e. I want to create the correct MANIFEST.MF, KEY.SF and KEY.?SA for my JAR. Their format is not complicated and this seems to be doable with some scripting. Has anyone done this before?
Answering own question.
Format of MANIFEST.MF and KEY.SF is documented by Oracle. Surprisingly, exact content of the signature KEY.?SA (where "KEY" is the keystore alias of the signing key) is not detailed in the "Signature File" section.
This KEY.RSA (for RSA signatures) can be created by OpenSSL command-line tools in exactly the way jarsigner creates it. Example for RSA signature and SHA256 digest:
$ openssl smime -sign -noattr -in META-INF/TEST1.SF -outform der -out META-INF/TEST1.RSA -inkey privateKey.pem -signer cert.pem -md sha256
Similarly the signature can be produced with OpenSSL C API. Snap of C code (no error checking):
/* PKCS7_PARTIAL flag is needed to be able to change the digest from the default value */
PKCS7 *signed_data = PKCS7_sign(NULL, NULL, NULL, data,
PKCS7_NOATTR | PKCS7_DETACHED | PKCS7_PARTIAL
);
digest = EVP_get_digestbyname("sha256");
PKCS7_sign_add_signer(signed_data, signcert, pkey, digest, flags);
PKCS7_final(signed_data, NULL, 0);
Signature created in this way is identical to what jarsigner would have produced.
I encryptd a file using gpg, now I want to decrypt the file.
Is there any way to decrypt the file without need to import the secret file?
We have the secret key in a file called key.sec; can we pass the secret file to gpg as a parameter (when we run the decrypt command from the bash command line) to use when decrypting the encrypted file? Or must we import the secret key then decrypt the encrypted files?
You must add the secret key to a keyring. From the gpg(1) documentation:
--no-default-keyring
Do not add the default keyrings to the list of
keyrings. Note that GnuPG will not operate without any
keyrings, so if you use this option and do not provide
alternate keyrings via --keyring or --secret-keyring,
then GnuPG will still use the default public or secret
keyrings.
You could --import --no-default-keyring --secret-keyring temporary to import the key, use --secret-keyring temporary when decrypting the content, then delete the ~/.gnupg/temporary.gpg file when you're done. But that's just a work-around.
You have to import the secret key to use it but the way that secret keys are managed by GnuPG version 2.x has changed. There is a gpg-agent daemon that handles secret keys access and its use is mandatory from version 2.1.
Here is a way that you can quickly create a temporary keyring to decrypt with a secret key that is contained in a file:
$ mkdir -m 700 ~/.gnupg-temp
$ gpg --homedir .gnupg-temp --import key.sec
$ gpg --homedir .gnupg-temp -d an_ecrypted_file
If you want to clean up afterwards, stop the agent and remove the directory:
$ gpg-connect-agent --homedir .gnupg-temp KILLAGENT /bye
$ rm -r ~/.gnupg-temp
There used to be an option --secret-keyring about which the documentation for version 2.1 has this to say:
This is an obsolete option and ignored. All secret keys are stored in the private-keys-v1.d directory below the GnuPG home directory.
The private-keys-v1.d directory (wthin the --homedir or ~/.gnupg) is owned and operated by the agent.
The objective of the OP Mohammed appears to be keeping his PUBLIC and SECRET key apart. After all, do we want to keep the Secret key with the data it was used to encrypt? Thus, Mohammed's and 10,650+ others (at the time I write this) are interested in if/how it's possible. Indeed it is, and this is how you do it:
The publicly-facing host only has two keys: Both are Public Keys
Your GPG Public key used to encrypt data
Your SSH Public key in .ssh/authorized_keys to facilitate non-interactive logins.
Round-tripping an encrypted file using Public-Secret key separation:
The following bash snippet when executed on the host with the Secret Key will fetch the crypted file from the DMZ host via scp, and squirt the gpg decrypted standard output back onto the DMZ host into a file so it can be read/operated upon. This code is tested and known to work correctly:
echo "$(gpg -d $(scp myuser#192.168.1.10:/home/myuser/test-gpg.txt.asc .;ls ./test-gpg.txt.asc))" | ssh myuser#192.168.1.10 'cat > /home/myuser/test-gpg.txt'
Note that you will still be prompted for a password once decryption begins. But once the password is supplied, the script continues and injects the decrypted gpg stream into a file on DMZ host.
And don't forget to do an rm test-gpg.txt of the decrypted file once the operation that required it's contents to be readable has been completed.
So yes, very possible to keep your secret key apart from the publicly accessible host where encryption occurs and your secret key tucked safely away in a host outside of that DMZ. HTH- Terrence Houlahan