Recipe 6.6 Authenticating by Public Key (OpenSSH Client, SSH2 Server, SSH2 Key)

6.6.1 Problem

You want to authenticate between an OpenSSH client and an SSH2 server (i.e., SSH Secure Shell from SSH Communication Security) using an existing SSH2-format key.

6.6.2 Solution

Suppose your SSH2 private key is id_dsa_1024_a.

  1. Make a copy of the SSH2 private key:

    $ cd ~/.ssh2
    $ cp -p id_dsa_1024_a newkey
  2. Set its passphrase to the empty string, creating an unencrypted key:

    $ ssh-keygen2 -e newkey
    Do you want to edit passphrase (yes or no)? yes
    New passphrase : 
    Again          :
  3. Import the SSH2 private key to convert it into an OpenSSH private key, imported-ssh2-key:

    $ mkdir -p ~/.ssh                        If it doesn't already exist
    $ chmod 700 ~/.ssh
    $ cd ~/.ssh
    $ mv ~/.ssh2/newkey .
    $ ssh-keygen -i -f newkey > imported-ssh2-key
    $ rm newkey
    $ chmod 600 imported-ssh2-key
  4. Change the passphrase of the imported key:

    $ ssh-keygen -p imported-ssh2-key
  5. Use your new key:

    $ ssh -l remoteuser -i ~/.ssh/imported-ssh2-key remotehost

    To generate the OpenSSH public key from the OpenSSH private key imported-ssh2-key, run:

    $ ssh-keygen -y -f imported-ssh2-key >
    Enter passphrase: ********

6.6.3 Discussion

OpenSSH's ssh-keygen can convert an SSH2-style private key into an OpenSSH-style private key, using the -i (import) option; however, it works only for unencrypted SSH2 keys. So we decrypt the key (changing its passphrase to null), import it, and re-encrypt it.

This technique involves some risk, since your SSH2 private key will be unencrypted on disk for a few moments. If this concerns you, perform steps 2-3 on a secure machine with no network connection (say, a laptop). Then burn the laptop.

To make the newly imported key your default OpenSSH key, name it ~/.ssh/id_dsa instead of imported-ssh2-key.

As an alternative solution, you could ignore your existing SSH2 private key, generate a brand new OpenSSH key pair, and convert its public key for SSH2 use. [Recipe 6.5] But if your SSH2 public key is already installed on many remote sites, it might make sense to import and reuse the SSH2 private key.

6.6.4 See Also

ssh-keygen(1), ssh-keygen2(1).

    Chapter 9. Testing and Monitoring