Are dropbear and OpenSSH host keys compatible?
After the misunderstanding that I am referring to host keys instead of login keys, I decided to dig into this a little myself. The main point was to establish whether the formats are compatible, not whether they're different (I knew they are).
Trying to install dropbear over a system that already had OpenSSH of course failed miserably, but this wasn't the point of the exercise. During the installation (and before the failure) the output said:
Converting existing OpenSSH RSA host key to Dropbear format.
So a quick apt-get source dropbear
and grep
-ing inside the debian
subfolder yielded:
dropbear.postinst: echo "Converting existing OpenSSH RSA host key to Dropbear format."
Promising. The relevant lines in the dropbear.postinst
script read:
echo "Converting existing OpenSSH RSA host key to Dropbear format."
/usr/lib/dropbear/dropbearconvert openssh dropbear \
/etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key
Apparently dropbear
comes with a tool named dropbearconvert
, which has a .c
source file in the source and comes with a man
page: dropbearconvert(1)
. Because I was unable to come up with an online version of the man page, here the gist:
SYNOPSIS
dropbearconvert input_type output_type input_file output_file
[...]
OPTIONS
input type
Either dropbear or openssh
output type
Either dropbear or openssh
input file
An existing Dropbear or OpenSSH private key file
output file
The path to write the converted private key file
Related videos on Youtube
0xC0000022L
human father bibliophile geek & ~nerd misanthropic philanthropist skeptic code necromancer programmer reverse engineer (RCE) / software archaeologist / grayhat hacker moderator on reverseengineering system administrator FLOSS enthusiast Debian, FreeBSD and Ubuntu aficionado
Updated on September 18, 2022Comments
-
0xC0000022L over 1 year
The title basically says it all. But mind: host key, not the login key.
And if they're not compatible out of the box, is there a way to convert between them - and what would be the steps in that case?
Rationale: it would be nice to be able to bring up a dropbear instance in the scope of the initrd, if boot fails, but do so by incorporating the host keys (via initramfs-tools hooks) from OpenSSH that is normally installed on the host.
-
0xC0000022L almost 10 yearsTurns out it's silly and old-style to prepare by reading the documentation. Simply do it - fail - but see the indication that the conversion is possible in the output of the failed installation. Oh well ... I guess my old-fart-RTFM-first attitude doesn't work anymore :)
-
Ohmen almost 9 yearsStrange, my system has a man page for
dropbearconvert
, but doesn't seem to have the program in the path. I diddpkg -L dropbear
and found it is installed under/usr/lib/dropbear/dropbearconvert
. -
Zac almost 7 yearsI found this man page from ubuntu
-
Jack almost 3 yearsDid you actually have this work though? I get Error: Unrecognised key type for the rsa or any other private keys running as sudo
-
Jack almost 3 yearsconverting the private keys with ssh-keygen -m PEM -f /tmp/openssh.key first results in Error: File does not begin with OpenSSH key header
-
Admin almost 2 yearsDropbear can be compiled with all related commands in one binary. The other commands are accessed by creating a symlinks in the same way as busybox. To obtain the public key, use
dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key | grep -v 'Fingerprint: sha1!!\|Public key'