Invalid public ssh key - windows

Trying to follow the instructions on github for Generating SSH Keys for windows.
I run ssh-keygen -t rsa -C "my#email.com", enter passphrase and it appears the SSH key is generated correctly.
However, when trying to "Add SSH Key" on GitHub it gives me the error
Key is invalid. It must begin with 'ssh-rsa' or 'ssh-dss'. Check that you're copying the public half of the key
The public key generated by Windows looks like this:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, my#email.com"
*public key*
---- END SSH2 PUBLIC KEY ----
Most notably it does not begin with 'ssh-rsa' or 'ssh-dss'. I tried just copying the *public key* part and prepending 'ssh-rsa' to it but I get the same error on GitHub. Any ideas what I'm doing wrong?

Got it. The public key should look like this:
ssh-rsa *public key* my#email.com
That is:
ssh-rsa<space><public key ending with ==><space><email address>

In Linux,after executing the above command,(xyz.pub) file will be generated in the directory you are working on.
Then if you do a " cat xyz.pub ", you will get your public key which has "ssh-rsa" in the beginning.
Now,you need to copy paste the displayed text in your GitHub Account.
Hope this will probably solve the issue.
And in windows,I think you should edit the file in NotePad++

GitHub generates two files: one with no type, and one .pub. You need the second one with the .pub extension, that file will already have the pattern:
ssh-rsa <key> <email>
If it doesn't have this pattern, you may be looking at the wrong file.

After the Git Bash steps, I went through the steps successfully. A pub file was generated in the Drive:\Users<YOUR DIR>.ssh\
Open the file with notepad, copied and pasted into https://github.com/settings/keys. That's it!

Related

Add-AzVMSshPublicKey to vmConfig fails when calling New-AzVM

I'm following the windows quickstart for creating a VM in azure powershell
I'm stuck here:
# Configure the SSH key
$sshPublicKey = cat ~/.ssh/id_rsa.pub
Add-AzVMSshPublicKey `
-VM $vmconfig `
-KeyData $sshPublicKey `
-Path "/home/azureuser/.ssh/authorized_keys"
First of all I think the following code is wrong, as cat returns System.String[] and running this verbatim results in
Add-AzVMSshPublicKey : Cannot convert 'System.Object[]' to the type 'System.String'
So... I instead use Get-Content "./path/to/file" -raw which just returns a string and the command runs without errors
Now when I run
New-AzVM `
-ResourceGroupName $resourceGroupName `
-Location $location -VM $vmConfig
I get the following error, meaning the keyData I set earlier wasn't set correctly.
New-AzVM : The value of parameter linuxConfiguration.ssh.publicKeys.keyData is invalid.
I've found the issue - So Azure key vault gives me a PEM public key in the form
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAO...
...
...
...
...0CS94AFAgMBAAE=
-----END PUBLIC KEY-----
Whereas the VM is expecting it in OpenSSH format
ssh-rsa ..........
I've tried to convert it with
ssh-keygen -i -m PKCS8 -f ./key.pem
but nothing gets output
UPDATE
Aaaand it's a powershell issue
First, the tutorial is a guide to create Linux VM via Azure PowerShell, not Windows. Second, the command cat just outputs the content of the file. And command $sshPublicKey = cat ~/.ssh/id_rsa.pub creates a variable in string:
The parameter -KeyData of the command Add-AzVMSshPublicKey also expect a string:
So there is no problem with the PowerShell command and all the commands work fine on my side. And the error shows the value of the key data is invalid, what you need to do is to make sure if the SSH public key is no problem.
To get this key from an Azure Key vault,
Get-AzKeyVaultKey -OutFile *filename* returns a public key in PEM Form
-----BEGIN PUBLIC KEY------
....
-----END PUBLIC KEY-----
The vm requires the key data to be a one-liner in OpenSSH format
ssh-rsa ....... mykeylabel
But Powershell's ssh-keygen, unlike its UNIX counterpart, cannot convert between these formats as it has an open bug

How to use *.pub/*.sec files to encrypt/decrypt another file?

I created a pair of *.pub and *.sec files using the instructions and code given here:
https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
(I am using this documentation because the ultimate application I have in
mind is an automated encryption/decryption pipeline.)
Q1: How can I use gpg2 and the *.pub file to encrypt another file?
Q2: How can I use gpg2 and the companion *.sec to decrypt a file encrypted using the companion *.pub file?
Important: I am interested only in answers that are suitable for programmatic implementation of an unsupervised operation. Please do not post answers that can only be carried out interactively. I am particularly interested in solutions that can be implemented in Python.
Please include precise pointers to the relevant documentation.
Some information about what you said:
I created a pair of *.pub and *.sec files using the instructions
Perfect to share the public key(s) with people you are exchanging information, but technically, when you are working programmatically, you don't need to use these files directly.
To be noted:
when you encrypt data, you will specify the recipient corresponding to the key to use to encrypt
when you decrypt data, you will first import the owner's public key, and then you will be able to decrypt data without specifying recipient, because it is embedded in the encrypted data
Actually, I am somewhat confused on this question. I have read conflicting information [...]
I agree it's quite confusing. In this situation, I think it is better to use version 1 for which there is more experience, and for which you find third party library to use.
In this answer, I tried:
python-gnupg (for GnuPG v1) which is a well known Python library and match perfectly your needs
cryptorito (for GnuPG v2) for which I didn't find enough documentation
With the first library, you can simply install it in your system:
sudo pip install python-gnupg
And then write a Python script to perform all the operations you want.
I wrote a simple one to answer your question.
#!/bin/python
import gnupg
GPG_DIR='/home/bsquare/.gnupg'
FILE_TO_ENCRYPT='/tmp/myFileToEncrypt'
ENCRYPTED_FILE='/tmp/encryptedFile'
DECRYPTED_FILE='/tmp/decryptedFile'
SENDER_USER='Bsquare'
TARGET_USER='Kjo'
gpg = gnupg.GPG(gnupghome=GPG_DIR)
print("Listing keys ...")
print(gpg.list_keys())
# On SENDER_USER side ... encrypt the file for TARGET_USER, with his public key (would match the kjo.pub if the key was exported).
print("Encrypting file " + FILE_TO_ENCRYPT + " for " + TARGET_USER + " ...")
with open(FILE_TO_ENCRYPT, "rb") as sourceFile:
encrypted_ascii_data = gpg.encrypt_file(sourceFile, TARGET_USER)
# print(encrypted_ascii_data)
with open(ENCRYPTED_FILE, "w+") as targetFile:
print("encrypted_ascii_data", targetFile)
# On TARGET_USER side ... decrypt the file with his private key (would match the kjo.sec if the key was exported).
print("Decrypting file " + ENCRYPTED_FILE + " for " + TARGET_USER + " ...")
with open(ENCRYPTED_FILE, "rb") as sourceFile:
decrypted_ascii_data = gpg.decrypt_file(sourceFile)
# print(decrypted_ascii_data)
with open(DECRYPTED_FILE, "w+") as targetFile:
print(decrypted_ascii_data, targetFile)
To be noted my keyring contains pub/sec pair for my Bsquare user, and the pub key of Kjo user.
when looking at encrypting and decrypting documents
this hints for pexpect; while I can provide regular expect scripts:
this is not directly a Python solution, but it should be easy to port.
as the tagline reads:
Pexpect makes Python a better tool for controlling other applications.
Encryption:
gpg --output doc.gpg --encrypt --recipient blake#cyb.org doc
as expect script; usage ./encrypt.exp doc blake#cyb.org 1234 (notice the space after the :):
#!/usr/bin/expect -f
set filename [lindex $argv 0]
set recipient [lindex $argv 1]
set passphrase [lindex $argv 2]
spawn gpg --output $filename.gpg --encrypt --recipient $recipient $filename
expect -exact "Enter pass phrase: "
send -- "$passphrase\r"
expect eof
Decryption:
gpg --output doc --decrypt doc.gpg
as expect script; usage: ./decrypt.exp doc 1234:
#!/usr/bin/expect -f
set filename [lindex $argv 0]
set passphrase [lindex $argv 1]
spawn gpg --output $filename --decrypt $filename.gpg
expect -exact "Enter pass phrase: "
send -- "$passphrase\r"
expect eof
Import:
keys can be imported into either key-chain with:
gpg --import somekey.sec
gpg --list-secret-keys
gpg --import somekey.pub
gpg --list-keys
there barely is anything to automate; however setting an imported key as "trusted" would require expect for automation. found this cheat-sheet, which has all commands on one page; and it also hints for: If you have multiple secret keys, it'll choose the correct one, or output an error if the correct one doesn't exist (which should confirm my comment below).
file ~/.gnupg/options is a user's options file; where one can eg. define the default key-server.
Since version 2.1.14, GPG supports the --recipient-file option, which lets you specify the public key to encrypt with without using the keyring. To quote the developer:
It is now possible to bypass the keyring and take the public key
directly from a file. That file may be a binary or an ascii armored
key and only the first keyblock from that file is used. A key
specified with this option is always fully trusted.
This option may be mixed with the standard -r options.
--hidden-recipient-file (or -F) is also available.
To futher assist some use cases the option
--no-keyring
has also been implemented. This is similar to
--no-default-keyring --keyring /dev/null
but portable to Windows and also ignores any keyring specified
(command line or config file).
So to encrypt, you would do:
gpg --output myfileenc --encrypt --recipient-file key.pub myfile
To automate, in addition to using expect or Python as explained in the other answers, you can also use the --batch option. (You will need to see which of the offered answers works best on your system).
No such option, however, is available for the secret key, and, as a matter of fact, the same version of PGP (2.1) deprecated the secring option in the --generate-key command, so this file is not even available any more. The generated key will need to be added to the keyring to be used for decryption.

Get fingerprints of OpenPGP keys

I'm trying to get the fingerprints from the public OpenPGP keys of ActiveMQ. They are published at http://www.apache.org/dist/activemq/KEYS.
Unfortunately, not all the keys have fingerprints listed next to them. Do you have any idea how to proceed?
I used this command (tested with gpg 2.2.12):
gpg --show-keys file.pub
For old versions, see the answer from Jens Erat. With newer versions gpg --with-fingerprint does not work and returns:
gpg: WARNING: no command supplied. Trying to guess what you mean ...
The fingerprint is derived from the public key and creation timestamp -- both are contained in the public keys listed on the site.There are several ways of inspecting keys without importing them, which also makes sure you print the information of the very specific key you are considering right now. --with-fingerprint makes GnuPG always output the fingerprint when listing keys. One way to get the fingerprint would be:
$ gpg --with-fingerprint <<EOT
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (Darwin)
mQGiBEPspSsRBADdguKAxMQbA32vTQrCyONR6Zs/YGdvau2Zrr3SSSSR0Ge4FMjZ
4tzwpf6+32m4Bsf7YIwdLl0H5hI1CgT5gDl9kXvfaFUehFnwR+FDyiBRiyHjUpGF
4dgkQfWy9diYeWGtsvszsvWHXtED4SXb322StX4MfJj+YesA1iEdTiXK6wCg1QDa
RucfjC+kx4zPsJwkJOgYpyMEAMTiXtNwQcke6nIFb/lb5374NjwwVAuuMTrRWLyq
5HodugEIHaw3EitQWtnFfXNkXTJZzS6t2HAGv29UTfhiBzKdkydgCkOk2MLWISOV
fqcg0tNIp5ZJCmUHg3s+OFNSH4oUi65u+FyDseUid3OKtPI+ZhIk8N+DjOIg2Kvo
/UALA/9q+WfBd7re+W3iUtU7TutUcwbKsjP+jpaJeUHg2ChOBxVfQKt4YlPHVdrR
iCrfNi90Z8qbsZ0iAXuqexrfMq20pAPmpHRpe54mmP1CMT5m+Gq71eKIfkUrb3LC
/zv08dLG2vm9oghd242wbcifaX+t7AhNAIpe/WTvQsB0gpdO4LQmSGlyYW0gQ2hp
cmlubyA8aGlyYW1AaGlyYW1jaGlyaW5vLmNvbT6IWwQTEQIAGwUCQ+ylKwYLCQgH
AwIDFQIDAxYCAQIeAQIXgAAKCRCf8lmA9bp+T/G/AKDM1QDs7il/CJhTycgDvE3c
EOgUBwCfelsVK4sgBCooZptoaCCDgVtt71G5AQ0EQ+ylLhAEAJD25AWgwcNgBFKY
svExQaGIojIGJyn4Cf/5U30cui/K7fIU7JtyNhKcfZdCrh2hKx+x3H/dTF6e0SrR
hzKV7Dx0j76yhHHB1Ak25kjRxoU4Jk+CG0m+bRNTF9xz9k1ALSm3Y+A5RqNU10K6
e/5KsPuXMGSGoQgJ1H6g/i80Wf8PAAMFA/9mIxu7lMaqE1OE7EeAsHgLslNbi0h9
pjDUVNv8bc1Os2gBPaJD8B89EeheTHw6NMNIe75HVOpKk4UA0gvOBrxJqCr18yFJ
BM5sIlaEmuJwZOW4dDGOR1oS5qgE9NzpmyKhE+fu/S1wmy0coL667+1xZcnrPbUF
D4i7/aD1r8qJhohGBBgRAgAGBQJD7KUuAAoJEJ/yWYD1un5Pth0An0QEUs5cxpl8
zL5kZCj7c8MN8YZDAKDR9LTb6woveul50+uGtUl2fIH1uA==
=RBPl
-----END PGP PUBLIC KEY BLOCK-----
EOT
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub dsa1024/0x9FF25980F5BA7E4F 2006-02-10 [SCA]
Key fingerprint = E5B8 247A F8A6 19A2 8F90 FDFC 9FF2 5980 F5BA 7E4F
uid Hiram Chirino <hiram#hiramchirino.com>
sub elg1024/0x10314D676733C080 2006-02-10 [E]
You can also provide the full page, then GnuPG will print all fingerprints, readily grepable.
Note, that this works only on old GnuPG, version 2.0.x. For newer versions, see the other answers describing the --show-keys option, which is not available in this version.
gpg --show-keys --fingerprint <<EOT
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (Darwin)
mQGiBEPspSsRBADdguKAxMQbA32vTQrCyONR6Zs/YGdvau2Zrr3SSSSR0Ge4FMjZ
4tzwpf6+32m4Bsf7YIwdLl0H5hI1CgT5gDl9kXvfaFUehFnwR+FDyiBRiyHjUpGF
4dgkQfWy9diYeWGtsvszsvWHXtED4SXb322StX4MfJj+YesA1iEdTiXK6wCg1QDa
RucfjC+kx4zPsJwkJOgYpyMEAMTiXtNwQcke6nIFb/lb5374NjwwVAuuMTrRWLyq
5HodugEIHaw3EitQWtnFfXNkXTJZzS6t2HAGv29UTfhiBzKdkydgCkOk2MLWISOV
fqcg0tNIp5ZJCmUHg3s+OFNSH4oUi65u+FyDseUid3OKtPI+ZhIk8N+DjOIg2Kvo
/UALA/9q+WfBd7re+W3iUtU7TutUcwbKsjP+jpaJeUHg2ChOBxVfQKt4YlPHVdrR
iCrfNi90Z8qbsZ0iAXuqexrfMq20pAPmpHRpe54mmP1CMT5m+Gq71eKIfkUrb3LC
/zv08dLG2vm9oghd242wbcifaX+t7AhNAIpe/WTvQsB0gpdO4LQmSGlyYW0gQ2hp
cmlubyA8aGlyYW1AaGlyYW1jaGlyaW5vLmNvbT6IWwQTEQIAGwUCQ+ylKwYLCQgH
AwIDFQIDAxYCAQIeAQIXgAAKCRCf8lmA9bp+T/G/AKDM1QDs7il/CJhTycgDvE3c
EOgUBwCfelsVK4sgBCooZptoaCCDgVtt71G5AQ0EQ+ylLhAEAJD25AWgwcNgBFKY
svExQaGIojIGJyn4Cf/5U30cui/K7fIU7JtyNhKcfZdCrh2hKx+x3H/dTF6e0SrR
hzKV7Dx0j76yhHHB1Ak25kjRxoU4Jk+CG0m+bRNTF9xz9k1ALSm3Y+A5RqNU10K6
e/5KsPuXMGSGoQgJ1H6g/i80Wf8PAAMFA/9mIxu7lMaqE1OE7EeAsHgLslNbi0h9
pjDUVNv8bc1Os2gBPaJD8B89EeheTHw6NMNIe75HVOpKk4UA0gvOBrxJqCr18yFJ
BM5sIlaEmuJwZOW4dDGOR1oS5qgE9NzpmyKhE+fu/S1wmy0coL667+1xZcnrPbUF
D4i7/aD1r8qJhohGBBgRAgAGBQJD7KUuAAoJEJ/yWYD1un5Pth0An0QEUs5cxpl8
zL5kZCj7c8MN8YZDAKDR9LTb6woveul50+uGtUl2fIH1uA==
=RBPl
-----END PGP PUBLIC KEY BLOCK-----
EOT
pub dsa1024 2006-02-10 [SCA]
E5B8 247A F8A6 19A2 8F90 FDFC 9FF2 5980 F5BA 7E4F
uid Hiram Chirino <hiram#hiramchirino.com>
sub elg1024 2006-02-10 [E]
From GPG manual -
--show-keys
This commands takes OpenPGP keys as input and prints information about them
in the same way the command --list-keys does for locally stored key. In ad‐
dition the list options show-unusable-uids, show-unusable-subkeys, show-nota‐
tions and show-policy-urls are also enabled. As usual for automated process‐
ing, this command should be combined with the option --with-colons.
--fingerprint
List all keys (or the specified ones) along with their fingerprints. This is
the same output as --list-keys but with the additional output of a line with
the fingerprint. May also be combined with --check-signatures. If this com‐
mand is given twice, the fingerprints of all secondary keys are listed too.
This command also forces pretty printing of fingerprints if the keyid format
has been set to "none".
--with-fingerprint
Same as the command --fingerprint but changes only the format of the output
and may be used together with another command.
My GnuPG version is 2.2.20
References -
https://unix.stackexchange.com/a/694646/356166

Invalid OpenSSH key format when importing an ec2 key form an existing one

I am using the ruby EC2 SDK, Version 2. The private key material of a key generated with EC2 is stored in a string. I am trying to generate the public key material that is necessary to import the key into EC2 using OpenSSL::PKey::RSA
After that I am trying to import the key pair.
It looks like this:
kk=OpenSSL::PKey::RSA.new my_private_key_material
pub=kk.public_key
ec2.import_key_pair({key_name: "my_key", public_key_material: pub.export})
The API is throwing this error:
*** Aws::EC2::Errors::InvalidKeyFormat Exception: Key is not in valid OpenSSH public key format
I am not sure what is wrong and how to generate the public key material correctly. I already tried to Base64 encode the public key string without success.
Edit
I tried a couple of new things.
I generated a new key using the EC2 web console from scratch and then geneerated the public one the way Raphael points out below with
openssl rsa -in mykey.pem -outform PEM -pubout -out mykey.pub
The key is not encrypted.
Whey trying to import the public key, either with the web console or by code, I get the same error.
Edit 2
I found this.
When generating the public key with a different command, it works:
ssh-keygen -y
The generated public key looks different. It starts with
ssh-rsa AAAAB3NzaC1yc2EAAAADA....
While the first generated one starts with
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG....
Now the question is how to generate the first format in ruby. I also found this post on different formats.
OK, I solved it by following this post.
It turned out the public key had to be generated in a different way
kk=OpenSSL::PKey::RSA.new my_private_key_material
key=kk.public_key
type = key.ssh_type
data = [ key.to_blob ].pack('m0')
openssh_format = "#{type} #{data}"
ec2.import_key_pair({key_name: "my_key", public_key_material: openssh_format})
The documentation suggests that key contents must be encoded in Base64 client-side, however this is not the case: The SSH key contents should be provided as-is, in the format "ssh-rsa XXXXX....".
Rory is right. In NodeJS below code worked.
let keypair = fs.readFileSync(homedir + '/.ssh/id_rsa.pub');
result = await ec2.importKeyPair({
KeyName: 'KeyPairName',
PublicKeyMaterial: keypair,
}).promise();
I m using Ruby SDK V3 and this is work for me to import key to AWS
#!/usr/bin/env ruby
require 'rubygems'
require 'aws-sdk-ec2'
key_content = File.read('/home/xxx/keys/sshkey.pub')
ec2_client = Aws::EC2::Client.new()
resp = ec2_client.import_key_pair({
dry_run: false,
key_name: "test-ruby-key",
public_key_material: key_content,
})
Hope it helpful!

Store SSH Key on Heroku to Connect Rails App to Remote Thru SFTP

This is a long shot, but I'm trying to add an ssh key to a Heroku for its use in connecting to another server through SFTP:
Net::SFTP.start(HOST, USER, password: PASSWORD, keys: ['yada.pem']) do |sftp|
#sftp = sftp
end
My original solution was to push a .ssh directory to the repo and store yada.pem there. keys would include the path to this file.
A safer solution I've been told would be to store the key in an environment variable on Heroku. Problem is, this would store the key as a string, which I couldn't really pass to SFTP.start.
I could solve the problem in a couple ways:
Is there a way to pass the key as a string with Ruby net/sftp?
Is there a way to add a public key to Heroku so that net/sftp would use it when trying to connect to the remote server?
Thanks
You can pass keys as strings in the option hash under the key :key_data (should be an array of strings, each element of which containing a key in PEM format).
Net::SFTP.start(HOST, USER, password: PASSWORD, key_data: ['PEM key as string']) do |sftp|
#sftp = sftp
end
See Net::SSH#start (to which Net::SFTP#start defers).

Resources