Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dropbearkey: save a public key file .pub #267

Merged
merged 3 commits into from
Jan 22, 2024
Merged

dropbearkey: save a public key file .pub #267

merged 3 commits into from
Jan 22, 2024

Conversation

stokito
Copy link
Contributor

@stokito stokito commented Dec 16, 2023

For a better interoperability with OpenSSH I want to have their interface working similarly.

When generating a key with ssh-keygen it saves the identity file e.g. id_rsa and its public key id_rsa.pub. To get a public key a user can just cat id_rsa.pub.

But the dropbearkey stores only the identity file.
When you need to get a public key you can execute dropbearkey -y and it will extract a public key from the private. It also prints a fingerprint of the key.
In many scripts and tutorials it is removed with dropbearkey -y -f ~/.ssh/id_ed25519 | grep "^ssh-"

The ssh-keygen -y behaves similarly but it doesn't print a fingerprint but only a raw pubkey. You can use a separate command ssh -l to print a fingerprint.
Also the ssh-keygen -C comment allows to specify an email for the key. The comment is saved in both private and public keys.
The dropbearkey generates a comment on the fly and a user can't specify the comment.

I wanted to check how to resolve the issues and the PR is a result of my attempt. I don't like the result but still I decided to share it. Maybe you also had an intention to work with the problem or someone needs this functionality.

The PR works as follows:
0. During a key generation a user can specify a comment with the -C.

  1. After the generation print the public key and save it a .pub file. The .pub file is exactly same as for ssh-keygen e.g. it has a comment and without a fingerprint.
  2. When making a dropbearkey -y check if the .pub file exists and if yes then print it. If it doesn't exists then work as before and extract a public key from the private key. This is breaking change because the .pub file doesn't have the fingerprint. In the same time its output is the same as for ssh-keygen -y.

To avoid conflicts we can add a condition if the program was dropbearkey then don't generate the .pub but if dropbear ssh-keygen then generate it.

Please feel free to close the PR. We can keep it for a history purposes if anyone is looking for the same functionality.

@stokito
Copy link
Contributor Author

stokito commented Dec 16, 2023

Now I think we can just leave saving of the .pub file but don't print it when -y.
Then a user won't see its comment but we will keep showing a fingerprint for a backward compatibility. This will icompatible with ssh-keygen and some scripts potentially may broke if they don't expect the fingerprint. But I guess openssh don't use the -y but use cat .pub instead.

A typical OpenWrt script generates a key and then use -y to store a public key. That means that it can override the generated .pub with comment. Not a big deal. Also newer scripts versions won't make a separate -y if the .pub exists.

One day the Dropbear may switch to openssh key format and we will store and print the comment in -y.
This will make the PR simpler.

Maybe we can also add the -l flag to print a fingerprint but not sure if anyone need it at all. The ECC keys are so small that it easier to fully show them instead of a fingerprint.

Please let me know what are you think.

@stokito
Copy link
Contributor Author

stokito commented Dec 16, 2023

I updated the PR. The old code I pushed to https://github.com/stokito/dropbear/tree/dbkey-print-pub

Copy link
Owner

@mkj mkj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Outputting .pub files is something I've wanted for a while but haven't got round to. I think it should be OK in terms of compatibility, just a couple of small comments.

src/dropbearkey.c Outdated Show resolved Hide resolved
src/dropbearkey.c Show resolved Hide resolved
The OpenSSH keygen stores the key comment into a private key.
The Dropbear key format is simpler and can't do that.
But we can store/print it to a public key.

The option also improves compatibility with scripts developed for OpenSSH keygen.

Signed-off-by: Sergey Ponomarev <[email protected]>
The OpenSSH keygen stores the public part of a new key to a .pub file.
Make the DropBear behave same.

Signed-off-by: Sergey Ponomarev <[email protected]>
@stokito
Copy link
Contributor Author

stokito commented Dec 18, 2023

I fixed your suggestions, added a comment, improved description of commits.
The code is not ideal and may be refactored but I'm not a C dev and that's hard to me.
I used dprintf function that was added to POSIX.1‐2001 and I don't know if it's fine to use it given that the DB may be used on older platforms.

@stokito stokito requested a review from mkj December 18, 2023 19:42
@mkj
Copy link
Owner

mkj commented Dec 31, 2023

Ah yes, I'll change it to use fprintf() instead. Dropbear could do with a CI test for other OSes I guess (there's the old C version test, but that's orthogonal to old posix)

dprintf() was only introduced in posix 2008 so won't be supported
by older platforms. gnulib suggests:

https://www.gnu.org/software/gnulib/manual/html_node/dprintf.html
This function is missing on many non-glibc platforms: Mac OS X 10.5,
FreeBSD 6.0, NetBSD 5.0, OpenBSD 3.8, Minix 3.1.8, AIX 5.1, HP-UX 11,
IRIX 6.5, Solaris 11.3, Cygwin 1.5.x, mingw, MSVC 14.
@mkj mkj merged commit aa37404 into mkj:master Jan 22, 2024
16 checks passed
@mkj
Copy link
Owner

mkj commented Jan 22, 2024

Thanks!

@stokito stokito deleted the dbkey branch January 22, 2024 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants