Are dropbear and OpenSSH host keys compatible?

ssh openssh dropbear

13,499

After the misunderstanding that I am referring to host keys instead of login keys, I decided to dig into this a little myself. The main point was to establish whether the formats are compatible, not whether they're different (I knew they are).

Trying to install dropbear over a system that already had OpenSSH of course failed miserably, but this wasn't the point of the exercise. During the installation (and before the failure) the output said:

Converting existing OpenSSH RSA host key to Dropbear format.

So a quick apt-get source dropbear and grep-ing inside the debian subfolder yielded:

dropbear.postinst:    echo "Converting existing OpenSSH RSA host key to Dropbear format."

Promising. The relevant lines in the dropbear.postinst script read:

echo "Converting existing OpenSSH RSA host key to Dropbear format."
/usr/lib/dropbear/dropbearconvert openssh dropbear \
  /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key

Apparently dropbear comes with a tool named dropbearconvert, which has a .c source file in the source and comes with a man page: dropbearconvert(1). Because I was unable to come up with an online version of the man page, here the gist:

SYNOPSIS
       dropbearconvert input_type output_type input_file output_file

[...]

OPTIONS
       input type
              Either dropbear or openssh

       output type
              Either dropbear or openssh

       input file
              An existing Dropbear or OpenSSH private key file

       output file
              The path to write the converted private key file

13,499

0xC0000022L

human father bibliophile geek & ~nerd misanthropic philanthropist skeptic code necromancer programmer reverse engineer (RCE) / software archaeologist / grayhat hacker moderator on reverseengineering system administrator FLOSS enthusiast Debian, FreeBSD and Ubuntu aficionado

Updated on September 18, 2022

Comments

0xC0000022L over 1 year

The title basically says it all. But mind: host key, not the login key.

And if they're not compatible out of the box, is there a way to convert between them - and what would be the steps in that case?

Rationale: it would be nice to be able to bring up a dropbear instance in the scope of the initrd, if boot fails, but do so by incorporating the host keys (via initramfs-tools hooks) from OpenSSH that is normally installed on the host.
0xC0000022L almost 10 years

Turns out it's silly and old-style to prepare by reading the documentation. Simply do it - fail - but see the indication that the conversion is possible in the output of the failed installation. Oh well ... I guess my old-fart-RTFM-first attitude doesn't work anymore :)
Ohmen almost 9 years

Strange, my system has a man page for dropbearconvert, but doesn't seem to have the program in the path. I did dpkg -L dropbear and found it is installed under /usr/lib/dropbear/dropbearconvert.
Zac almost 7 years

I found this man page from ubuntu
Jack almost 3 years

Did you actually have this work though? I get Error: Unrecognised key type for the rsa or any other private keys running as sudo
Jack almost 3 years

converting the private keys with ssh-keygen -m PEM -f /tmp/openssh.key first results in Error: File does not begin with OpenSSH key header
Admin almost 2 years

Dropbear can be compiled with all related commands in one binary. The other commands are accessed by creating a symlinks in the same way as busybox. To obtain the public key, use dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key | grep -v 'Fingerprint: sha1!!\|Public key'