現時点でのOpenSSHのバージョン(Mac)は OpenSSH_8.1p1, LibreSSL 2.7.3 ですが、今回いつものように鍵を作成したところ、CircleCIに秘密鍵を設置して、その形式だと追加できないぜとエラーが出現しました。秘密鍵の中身を確認するとヘッダー形式が BEGIN OPENSSH PRIVATE KEY と変わったので、もろもろ調査してみました。
■旧OpenSSLのPEM形式で作成される秘密鍵
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/adachin/.ssh/id_rsa): adachin-test Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in adachin-test. Your public key has been saved in adachin-test.pub. The key fingerprint is: SHA256:xxxxxxxxxx The key's randomart image is: +---[RSA 3072]----+ |.++.B=o. | |..oE**. . | |+o.o.o. + | | o. + + . | | B o S . | | * * o . . | | B = o.oo | | o o .=o.. | | ... +. | +----[SHA256]-----+ $ cat adachin-test -----BEGIN RSA PRIVATE KEY----- ************************************* ************************************* ************************************* -----END RSA PRIVATE KEY----- |
上記のように BEGIN RSA PRIVATE KEY となっていれば従来の形式ですね。
■新OpenSSLのPEM形式で作成される秘密鍵
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/adachin/.ssh/id_rsa): newadachin-test Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in newadachin-test. Your public key has been saved in newadachin-test.pub. The key fingerprint is: SHA256:xxxxxxxxxxxxx The key's randomart image is: +---[RSA 3072]----+ | .o.+.+o. | | ..=.E.o | | o +.o.. . | | . . B..o+ | | . . . BSo.oo. | | . = =.==.o. | | = + .++=. | | . o .+... | | o... | +----[SHA256]-----+ $ cat newadachin-test -----BEGIN OPENSSH PRIVATE KEY----- ************************************* ************************************* ************************************* -----END OPENSSH PRIVATE KEY----- |
なるほどこれは初だな。ドキュメントをググる。
■ssh-keygen OpenBSD manual page server
https://www.openssh.com/releasenotes.html
https://man.openbsd.org/ssh-keygen
ssh-keygen will by default write keys in an OpenSSH-specific format. This format is preferred as it offers better protection for keys at rest as well as allowing storage of key comments within the private key file itself. The key comment may be useful to help identify the key. The comment is initialized to “user@host” when the key is created, but can be changed using the -c option.
It is still possible for ssh-keygen to write the previously-used PEM format private keys using the -m flag. This may be used when generating new keys, and existing new-format keys may be converted using this option in conjunction with the -p (change passphrase) flag.
After a key is generated, instructions below detail where the keys should be placed to be activated.
ssh-keygenは、-mフラグを使用して、以前に使用されたPEM形式の秘密鍵を書き込むことができます。
なるほどOpenSSH 7.8で仕様が変わったようですね。 -m PEM と指定すれば従来の形式で作成できそう。
■新バージョンで旧OpenSSLのPEM形式で作成する
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
$ ssh-keygen -m PEM Generating public/private rsa key pair. Enter file in which to save the key (/Users/adachin/.ssh/id_rsa): newadachin-test Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in newadachin-test. Your public key has been saved in newadachin-test.pub. The key fingerprint is: SHA256:xxxxxxxxxxxxx The key's randomart image is: +---[RSA 3072]----+ | .o.+.+o. | | ..=.E.o | | o +.o.. . | | . . B..o+ | | . . . BSo.oo. | | . = =.==.o. | | = + .++=. | | . o .+... | | o... | +----[SHA256]-----+ $ cat newadachin-test -----BEGIN RSA PRIVATE KEY----- ************************************* ************************************* ************************************* -----END RSA PRIVATE KEY----- |
これでOK。ちなみに新バージョンの形式を旧PEM形式に変換する場合は以下。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
$ ssh-keygen -m PEM -f newadachin-test Generating public/private rsa key pair. test already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in test. Your public key has been saved in test.pub. The key fingerprint is: SHA256:xxxxxxxxxxxx The key's randomart image is: +---[RSA 3072]----+ | ...+. | | .+=. | | .+oo. | | .o+B+. | | S*X*o | | +X++ . | | . ..=.o.. | | . o E ooo.= . | | o ..o+ooo o | +----[SHA256]-----+ $ cat newadachin-test -----BEGIN RSA PRIVATE KEY----- ************************************* ************************************* ************************************* -----END RSA PRIVATE KEY----- |
上記のように旧形式に変換されました。
■まとめ
間違って新バージョンで鍵を作っても旧形式に変換できるので問題なく利用できますな。しばらく鍵とか作らなかったのでこれは知らんかった。なかなかハマった。
0件のコメント