{"id":2699,"date":"2019-12-29T18:03:39","date_gmt":"2019-12-29T09:03:39","guid":{"rendered":"http:\/\/matoken.org\/blog\/?p=2699"},"modified":"2019-12-29T18:03:39","modified_gmt":"2019-12-29T09:03:39","slug":"generate-an-rsa-key-pair-that-can-be-used-with-openssh-with-openssl","status":"publish","type":"post","link":"https:\/\/matoken.org\/blog\/2019\/12\/29\/generate-an-rsa-key-pair-that-can-be-used-with-openssh-with-openssl\/","title":{"rendered":"OpenSSH\u3067\u4f7f\u3048\u308bRSA\u9375\u30da\u30a2\u3092OpenSSL\u3067\u751f\u6210\u3059\u308b"},"content":{"rendered":"<div class=\"paragraph\">\n<p>OpenSSH 7.1\/7.1p1\u3067RSA\u9375\u9577\u306f\u6700\u4f4e1024bit\u306b\u306a\u308a\u307e\u3057\u305f\uff0e<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"content\">\n<pre> * Refusing all RSA keys smaller than 1024 bits (the current minimum\n   is 768 bits)<\/pre>\n<\/div>\n<\/div>\n<div class=\"ulist\">\n<ul>\n<li><a href=\"https:\/\/www.openssh.com\/txt\/release-7.1\">https:\/\/www.openssh.com\/txt\/release-7.1<\/a><\/li>\n<\/ul>\n<\/div>\n<div class=\"paragraph\">\n<p>1024bit\u3088\u308a\u77ed\u3044\u9375\u9577\u306e\u9375\u3092\u4f5c\u308d\u3046\u3068\u3059\u308b\u3068\u6012\u3089\u308c\u307e\u3059\uff0e<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"content\">\n<pre>$ ssh-keygen -t rsa -b 768\nInvalid RSA key length: minimum is 1024 bits<\/pre>\n<\/div>\n<\/div>\n<div class=\"paragraph\">\n<p>\u4ee5\u4e0b\u306eML\u3067\u53e4\u3044\u6a5f\u5668\u304c1024bit\u306b\u5bfe\u5fdc\u3057\u3066\u3044\u306a\u3044\u5834\u5408\u306e\u76f8\u8ac7\u3067OpenSSL\u3067OpenSSH\u3067\u5229\u7528\u3067\u304d\u308bRSA\u9375\u30da\u30a2\u304c\u4f5c\u308c\u308b\u306e\u3092\u77e5\u308a\u307e\u3057\u305f\uff0e<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"content\">\n<pre>You can use openssl to generate a shorter key:\n\n\t$ openssl genprsa -out key.pem 768\n\t$ ssh-keygen -y -f key.pem &gt; key.pub # optional to get public key\n\nThis works with a 768-bit RSA key (client: OpenSSH_7.2p2, OpenSSL\n1.0.2g; server: OpenSSH_7.2p2, OpenSSL 1.0.2g) but not a 256-bit RSA\nkey: I can generate the shorter key but the server requires a minimum of\n768-bits.<\/pre>\n<\/div>\n<\/div>\n<div class=\"ulist\">\n<ul>\n<li><a href=\"https:\/\/lists.mindrot.org\/pipermail\/openssh-unix-dev\/2019-December\/038065.html\">Settable minimum RSA key sizes on the client end for legacy devices.<\/a><\/li>\n<li><a href=\"https:\/\/www.openssl.org\/\">\/index.html<\/a> (OpenSSL)<\/li>\n<\/ul>\n<\/div>\n<div class=\"paragraph\">\n<p>\u4f7f\u3046\u3053\u3068\u304c\u3042\u308b\u304b\u308f\u304b\u3089\u306a\u3044\u3051\u3069\u624b\u5143\u306e\u74b0\u5883\u3067\u8a66\u3057\u3066\u307f\u307e\u3057\u305f\uff0e<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"title\">openssl\u3067RSA 768\u306e\u79d8\u5bc6\u9375\u306e\u4f5c\u6210<\/div>\n<div class=\"content\">\n<pre>$ openssl genrsa -out id_rsa768 768\nGenerating RSA private key, 768 bit long modulus (2 primes)\n........+++++++\n................................+++++++\ne is 65537 (0x010001)<\/pre>\n<\/div>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"title\">\u30d1\u30b9\u30d5\u30ec\u30fc\u30ba\u3042\u308a\u306eRSA 768\u306e\u79d8\u5bc6\u9375\u306e\u4f5c\u6210<\/div>\n<div class=\"content\">\n<pre>$ openssl genrsa -out id_rsa768 -aes256 768\nGenerating RSA private key, 768 bit long modulus (2 primes)\n..+++++++\n..........+++++++\ne is 65537 (0x010001)\nEnter pass phrase for id_rsa768:\nVerifying - Enter pass phrase for id_rsa768:<\/pre>\n<\/div>\n<\/div>\n<div class=\"paragraph\">\n<p>OpenSSL\u304b\u3089\u66f8\u304d\u51fa\u3055\u308c\u305f\u9375\u30d5\u30a1\u30a4\u30eb\u306e\u30d1\u30fc\u30df\u30c3\u30b7\u30e7\u30f3\u306fumask\u306b\u95a2\u4fc2\u306a\u304f(0000\u3067\u3082)600\u306b\u306a\u3063\u3066\u3044\u307e\u3059 :)<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"title\">\u79d8\u5bc6\u9375\u306e\u78ba\u8a8d<\/div>\n<div class=\"content\">\n<pre>$ openssl rsa -text &lt; id_rsa768<\/pre>\n<\/div>\n<\/div>\n<div class=\"paragraph\">\n<p>\u79d8\u5bc6\u9375\u304c\u51fa\u6765\u305f\u306e\u3067\u7d9a\u3044\u3066\u30da\u30a2\u3068\u306a\u308b\u516c\u958b\u9375\u3092\u4f5c\u308a\u307e\u3059\uff0e<br \/>\nML\u306e\u4f8b\u3068\u540c\u3058\u3088\u3046\u306b <code>ssh-keygen<\/code> \u3092\u4f7f\u3046\u3068\u9375\u306e\u9577\u3055\u3067\u6012\u3089\u308c\u307e\u3059\uff0e<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"content\">\n<pre>$ ssh-keygen -y -f id_rsa768 &gt; id_rsa768.pub\nLoad key \"id_rsa768\": Invalid key length<\/pre>\n<\/div>\n<\/div>\n<div class=\"paragraph\">\n<p>\u516c\u958b\u9375\u3082OpenSSL\u3067\u4f5c\u308a\u307e\u3059\uff0e<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"title\">OpenSSL\u516c\u958b\u9375\u3092\u4f5c\u308b<\/div>\n<div class=\"content\">\n<pre>$ openssl rsa -pubout &lt; id_rsa768 &gt; id_rsa768.pub\nwriting RSA key<\/pre>\n<\/div>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"title\">\u516c\u958b\u9375\u306e\u78ba\u8a8d<\/div>\n<div class=\"content\">\n<pre>$ openssl rsa -text -pubin &lt; id_rsa768.pub<\/pre>\n<\/div>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"title\">\u51fa\u6765\u4e0a\u304c\u3063\u305f\u9375\u30da\u30a2\u3067\u30ed\u30b0\u30a4\u30f3\u3092\u8a66\u307f\u308b\u3068\u9375\u9577\u306e\u305b\u3044\u3067\u8a8d\u8a3c\u306b\u5931\u6557<\/div>\n<div class=\"content\">\n<pre>$ ssh -v -i ~\/.ssh\/id_rsa768 localhost\n   :\ndebug1: Trying private key: \/home\/matoken\/.ssh\/id_rsa768\nLoad key \"\/home\/matoken\/.ssh\/id_rsa768\": Invalid key length<\/pre>\n<\/div>\n<\/div>\n<div class=\"paragraph\">\n<p>\u3066\u3053\u3068\u3067\u4f7f\u3044\u307f\u3061\u304c\u306a\u3055\u305d\u3046\u3067\u3059\u304c\u30e1\u30e2\u3057\u3066\u304a\u304d\u307e\u3059\uff0e<br \/>\n\uff03\u4eca\u306a\u3089ed25519\u4f7f\u3044\u307e\u3059\u3057\u306d\u2026\u2026\uff0e<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>\u3061\u306a\u307f\u306b1024bit\u3088\u308a\u9577\u3044\u9375\u306a\u3089\u666e\u901a\u306b\u4f7f\u3048\u3066ssh-keygen\u3067\u30b3\u30e1\u30f3\u30c8\u3092\u66f8\u304d\u63db\u3048\u305f\u308a\u30d1\u30b9\u30d5\u30ec\u30fc\u30ba\u3092\u66f8\u304d\u63db\u3048\u305f\u308a\u3067\u3057\u307e\u3057\u305f\uff0e<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"title\">RSA 4096\u306e\u9375<\/div>\n<div class=\"content\">\n<pre>$ openssl genrsa -out id_rsa4096 -aes256 4096\nGenerating RSA private key, 4096 bit long modulus (2 primes)\n................++++\n.....................................................................................................++++\ne is 65537 (0x010001)\nEnter pass phrase for id_rsa4096:\nVerifying - Enter pass phrase for id_rsa4096:\n$ ssh-keygen -c -C 'OpenSSL generate key' -f .\/id_rsa4096\nEnter passphrase:\nNo existing comment\nComment 'OpenSSL generated key' applied\n$ ssh-keygen -p -f .\/id_rsa4096\nEnter old passphrase:\nKey has comment 'OpenSSL generated key'\nEnter new passphrase (empty for no passphrase):\nEnter same passphrase again:\nYour identification has been saved with the new passphrase.<\/pre>\n<\/div>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"title\">\u74b0\u5883<\/div>\n<div class=\"content\">\n<pre>$ dpkg-query -W openssl openssh-client openssh-server\nopenssh-client  1:8.1p1-2\nopenssh-server  1:8.1p1-2\nopenssl 1.1.1d-2\n$ lsb_release -dr\nDescription:    Debian GNU\/Linux bullseye\/sid\nRelease:        unstable\n$ uname -m\nx86_64<\/pre>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>OpenSSH 7.1\/7.1p1\u3067RSA\u9375\u9577\u306f\u6700\u4f4e1024bit\u306b\u306a\u308a\u307e\u3057\u305f\uff0e * Refusing all RSA keys smaller than 1024 bits (the current minimum i [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"webmentions_disabled_pings":false,"webmentions_disabled":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":4,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[7,6,199],"tags":[72,454],"class_list":["post-2699","post","type-post","status-publish","format-standard","hentry","category-debian-linux","category-linux","category-sid","tag-openssh","tag-openssl"],"_links":{"self":[{"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/posts\/2699","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/comments?post=2699"}],"version-history":[{"count":0,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/posts\/2699\/revisions"}],"wp:attachment":[{"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/media?parent=2699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/categories?post=2699"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/tags?post=2699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}