Encrypt temporary password using public ssh key
Solution 1
I finally found how to convert an OpenSSH public key to PEM format on a blog and was able to successfully encrypt and decrypt a string using my private/public key.
I've outlined the steps I used to perform the encryption and decryption.
To encrypt a string:
# convert public key to PEM format
ssh-keygen -f ~/.ssh/id_rsa.pub -e -m PKCS8 > ~/.ssh/id_rsa.pub.pem
# encrypt string using public key
echo "String to Encrypt" \
| openssl rsautl -pubin -inkey ~/.ssh/id_rsa.pub.pem -encrypt -pkcs \
| openssl enc -base64 \
> string.txt
To decrypt a string (from file):
openssl enc -base64 -d -in string.txt \
| openssl rsautl -inkey ~/.ssh/id_rsa -decrypt
Since my goal is to e-mail the password, I've written an extremely basic script to automate things a bit:
#!/bin/sh
if test "x${1}" == "x";then
echo "Usage: ${0} <username>"
exit 1
fi
SSHUSER=${1}
printf "Enter Password: "
read PASS1
echo ""
echo ""
ssh-keygen -f /home/${SSHUSER}/.ssh/id_rsa.pub -e -m PKCS8 \
> /tmp/ssh-pubkey-${SSHUSER}.pem
echo 'cat << EOF |openssl enc -base64 -d |openssl rsautl -inkey ~/.ssh/id_rsa -decrypt'
echo "New Password: ${PASS1}" \
| openssl rsautl -pubin -inkey /tmp/ssh-pubkey-${SSHUSER}.pem -encrypt -pkcs \
| openssl enc -base64
echo "EOF"
echo ""
rm -f /tmp/ssh-pubkey-${SSHUSER}.pem
I can then send the output of the script in an e-mail for the user to decrypt.
The complete script is available on Github: https://gist.github.com/3078682
Solution 2
It is possible since it's just an RSA key. Use openssl:
openssl rsautl -encrypt -inkey alice.pub >message.encrypted
I nicked this of this question on Unix/Linux SE.
I must say that PGP is more suitable for this.
Solution 3
In general, yes this is possible. All SHH does is generate a Modulus N and two keys e (the public key) and d (the private one). The mechanism employed is usually RSA or DSA and the Keys generated can be used for encryption. All you'd have to do is extract them from the base64 blob that is the public key and then use a suitable program to encrypt data with these keys. You might be interested in Monkeysphere which can transfer between ssh key format and gnupg keys. This should allow you also to use the keys for encryption.
David M. Syzdek
Updated on September 18, 2022Comments
-
David M. Syzdek over 1 year
I manage a virtual office and our staff uses both SSH keys and passwords for authentication. If one of our staff forgets his password, is there a way to encrypt a temporary password using his public RSA ssh key so I can send it to him via e-mail?
I've seen other questions related to this one, however the "answers" generally recommend against using the public/private SSH keys to perform general encryption/decryption and do not actually state if this is possible. I would like to know if it is indeed possible and what are the steps to encrypt and then decrypt the password.
-
David M. Syzdek almost 12 yearsThe problem is that the SSH public key is not in a format which OpenSSL recognizes. I needed to know how to convert the key to something that could then be used by a toolkit such as OpenSSL.