Menu

#479 ed25519 ssh keys not supported

implemented
nobody
None
2017-02-09
2015-08-19
Petre Rodan
No

since starting with openssh 7.0 dsa keys will get obsoleted (among other things), I generated a brand new ed25519 key I intend to use all over the place.

I am trying to paste the pubkey in my profile page, but I get a
Line 1: Key length too short!
from your side. please fix that page since the length of the key is just perfect. according to the ssh-keygen manual "ED25519 keys have a fixed length".

thanks,
peter

Discussion

  • Kevin Brubeck Unhammer

    Kevin Brubeck Unhammer - 2015-08-22

    I get the same. Any key-length check should be dependent on key type (and perhaps the page should warn about deprecated key types?)

     

  • John Barrett

    John Barrett - 2015-09-17
    • status: unread --> self-service
     

  • John Barrett

    John Barrett - 2015-11-11

    Kevin Brubeck Unhammer,
    You can make a dsa key by following the instructions:

    ssh-keygen -t dsa -C username@shell.sf.net
    Enter file in which to save the key (/Users/username/.ssh/id_dsa):
    Enter passphrase (empty for no passphrase): %some-made-up-phase%
    A passphrase adds another layer of encryption when generating a SSH Key. It is not required but it is recommend.
    Sample passphrase = %some-made-up-phrase%
    Enter same passphrase again: %some-made-up-phase%
    Your identification has been saved in /Users/username/.ssh/id_dsa.
    Your public key has been saved in /Users/username/.ssh/id_dsa.pub.
    The key fingerprint is:
    random HEX data username@shell.sf.net
    The key's randomart image is:
    more random data
    This commmand just copies the contents of the idrsa.pub file to the clipboard
    pbcopy < ~/.ssh/id_dsa.pub
    Go to Shell Services Configuration Page and paste in the key to "SSH Public Keys:" box.
    Click Save. You will need to wait for the SSH Key to sync up with your account.

    ssh -t username,projectname@shell.sourceforge.net create
    The 1st time you use the key you will be promoted for the passphrase (if you made on up). After the 1st time you enter the passphase you won't be prompted again and you won't need to enter your SourceForge.net password.
    %some-made-up-phase%

    Requesting a new shell for "username" and waiting for it to start.
    creating... starting...
    This is an interactive shell created for user username,projectname.
    Use the "timeleft" command to see how much time remains before shutdown.
    Use the "shutdown" command to destroy the shell before the time limit.
    For path information and login help, type "sf-help".
    [username@shell-24002 ~]$

     

    • Petre Rodan

      Petre Rodan - 2015-11-12

      Hi,

      On Wed, Nov 11, 2015 at 10:13:10PM +0000, John Barrett wrote:

      Kevin Brubeck Unhammer,
      You can make a dsa key by following the instructions:

      ssh-keygen -t dsa -C username@shell.sf.net
      Enter file in which to save the key (/Users/username/.ssh/id_dsa):
      Enter passphrase (empty for no passphrase): %some-made-up-phase%
      A passphrase adds another layer of encryption when generating a SSH Key. It is not required but it is recommend.
      Sample passphrase = %some-made-up-phrase%
      Enter same passphrase again: %some-made-up-phase%
      [..]

      according to official OpenSSH documentation, the use of DSA keys is strongly discouraged.

      'OpenSSH 7.0 and greater similarly disables the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.'
      http://www.openssh.com/legacy.html

      I know that all your documentation has examples on how to set up ssh authentication - and the examples point to exactly this type of keys.
      Unfortunately you will have to update all that and enable support for ed25519 keys (among others) as per my original comment.

      thanks,
      peter

       

  • Petre Rodan

    Petre Rodan - 2015-11-12

    according to official OpenSSH documentation, the use of DSA keys is strongly discouraged.

    'OpenSSH 7.0 and greater similarly disables the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.'
    http://www.openssh.com/legacy.html

    I know that all your documentation has examples on how to set up ssh authentication - and the examples point to exactly this type of keys.
    Unfortunately you will have to update all that and enable support for ed25519 keys (among others) as per my original comment.

    thanks,
    peter

     

  • John Barrett

    John Barrett - 2015-11-12

    Hi Peter,
    This is really more of a feature request rather than a support issue at this point. I've move this ticket over to the feature request area.
    Thanks
    SourceForge Support

     

    Last edit: John Barrett 2015-11-12

  • Xavion

    Xavion - 2015-12-05

    The way this is currently set up, OpenSSH v7 users with DSA keys will always be asked for their SourceForge.net password when connecting to "*.sf.net".

    This is because OpenSSH v7 ignores DSA keys by default (even if the "-i" flag is provided). The only way to get around this is to add "PubkeyAcceptedKeyTypes=+ssh-dss" to your "~/.ssh/config" file.

    I found out about this by issuing the verbose (-v) flag when connecting. I'm sure most other (OpenSSH) SourceForge users wouldn't think to do this. So, they'd be unable to figure out why they're always asked to enter their SF password these days.

    The easy way to get around this problem is to use an RSA key instead, as mentioned here. Similarly, I think the OpenSSH section of the Forge Documentation should be changed to recommend RSA keys by default.

     
    👍
    1

  • Dave Brondsema

    Dave Brondsema - 2017-02-09
    • status: self-service --> implemented
    • Category: -->
     

  • Dave Brondsema

    Dave Brondsema - 2017-02-09

    ed25519 (and ecdsa) keys are now supported.

     

Log in to post a comment.