SSH Implementation Interoperability
A brief guide to managing the conversion of SSH keys between various vendor implementations.
Introduction
Whilst reviewing access requirements at a number of sites, we've found the need to make several different implementations of SSH clients and servers interoperate successfully.
This document outlines how to convert keys between OpenSSH, SSH.com (F-Secure), Sun SSH, and PuTTY implementations, using a DSA key for our examples, and also illustrates basic server-side setup for key-based authentication.
Connect to SSH.com server
-
Convert key to correct format:
OpenSSH/Sun SSH - Use ssh-keygen to export from native format to SECSH format:
ssh-keygen -e -f ~user/.ssh/id_dsa.pub > id_dsa_secsh.pub (OpenSSH)
ssh-keygen -x -f ~user/.ssh/id_dsa > id_dsa_secsh.pub (Sun SSH)
Note: Sun requires the private key as input, whereas OpenSSH can convert directly from a public key. PuTTY and SSH.com clients use SECSH format natively, so no conversion is required.
-
Paste the SECSH file into the server's .ssh directory or use scp:
scp id_dsa_secsh.pub user@target:/home/user/.ssh2/id_dsa_secsh.pub
-
Create or amend ~user/.ssh/authorization to include the new key:
echo "key id_dsa_secsh.pub" >> ~user/.ssh2/authorization
-
DSA authentication should now be possible.
Connect to OpenSSH and Sun SSH servers
-
Convert key to correct format:
PuTTY - Use puttygen.exe to import the SECSH-formatted file, and copy the OpenSSH-compatible data.
SSH.com - Use Sun's or OpenSSH's ssh-keygen to convert from SECSH format:
ssh-keygen -i -f id_dsa_secsh.pub > id_dsa.pub (OpenSSH)
ssh-keygen -X -f id_dsa_secsh.pub > id_dsa.pub (Sun SSH)
-
Paste the DSA key into ~user/.ssh/authorized_keys on the server.
-
DSA authentication should now be possible.
Conclusion
Assuming server configuration is correct, keys may be easily converted and used in an interoperable manner.
John Cartwright <johnc@grok.org.uk>