英文:
Generate DSA Keys for OpenSSH in Golang
问题
这段代码的问题主要有两个:
- 对于2048位长度的密钥,无法通过
ssh.ParseAuthorizedKey加载公钥,会出现错误:"ssh: no key found"。 - OpenSSH客户端和GitHub SSH无法接受该密钥。
要解决这个问题,你可以尝试以下方法:
-
对于第一个问题,你可以尝试使用
ssh.ParsePublicKey函数来解析公钥,而不是使用ssh.ParseAuthorizedKey。这样可能能够成功加载公钥。 -
对于第二个问题,你可以尝试将生成的密钥添加到OpenSSH客户端和GitHub SSH的授权密钥列表中。具体的步骤可以参考OpenSSH和GitHub SSH的文档。
希望这些信息对你有所帮助!如果你还有其他问题,请随时提问。
英文:
I read through a few examples to generate DSA keys for OpenSSH in Go. And my clean code snippet and outputs are listed below.
It has two problems:
- for 2048-bit length, the public key can't be loaded via
ssh.ParseAuthorizedKey, for error: "ssh: no key found". - OpenSSH client and GitHub SSH can't accept it.
Code snippets:
// GenerateDSAKeys generates DSA public and private key pair with given size for SSH.func GenerateDSAKeys(bitSize int, passphrase string) (pubKey string, privKey string, err error) {params := new(dsa.Parameters)// see http://golang.org/pkg/crypto/dsa/#ParameterSizesif err = dsa.GenerateParameters(params, rand.Reader, dsaSizeFromLength(bitSize)); err != nil {return}var privateKey dsa.PrivateKeyprivateKey.PublicKey.Parameters = *params// this generates a public & private key pairif err = dsa.GenerateKey(&privateKey, rand.Reader); err != nil {return}// generate public keyvar publicKey ssh.PublicKeyif publicKey, err = ssh.NewPublicKey(&privateKey.PublicKey); err != nil {return}// encode public keypubBytes := ssh.MarshalAuthorizedKey(publicKey)// encode private keyvar (bytes []byteprivBytes []byte)if bytes, err = asn1.Marshal(privateKey); err != nil {return}privBytes, err = encodePEMBlock(&pem.Block{Type: "DSA PRIVATE KEY",Bytes: bytes,}, passphrase)if err != nil {return}return string(pubBytes), string(privBytes), nil}func dsaSizeFromLength(l int) dsa.ParameterSizes {switch l {case 1024:return dsa.L1024N160case 2048:return dsa.L2048N224case 3072:return dsa.L3072N256default:return dsa.L2048N256}}
Output for 1024:
bash-3.2$ cat id_dsa.pubssh-dss AAAAB3NzaC1kc3MAAACBAIbuW6wh5hU2W96tEyo7xPDZmslWnsyQBYtf4SSTeHOMTNTxznlMujjkmCuqKJ04BlHFi+ner2qzCd1GkzGhHrretQw1z5Ew8ysAGsmbb9Yc6BMTyhJkrQ2lIR5Vmqa9Ukx0PM/HdXa6GieYZWxyabN5IjN4SESXZ6G7Jb4StwCfAAAAFQCnj+WurTgW5aXGYePwhBYAWX01WwAAAIBHQpZSsJGKsEII7Oe6RMz5ek27ydHPnrLDqVOmEKqHrIrsYXoTHaMOLW+fvsDBC3q0EWMBNgu4IAZe3eL2Gx2r94+DS+GTfECWiJ3+O76DTAwDcB6fXxdYxG88nJMzCkcMZEmOjbIpuiGP5NC+OOqBv2DEHw7YEWs8Kx4T71mE0AAAAIEAhg/OB98FTcYX/gXEclKqqDByHzHIt71Y7DFZnxnmd4DFEZp/WzJ6VT2jTNMyWKRT9h0SITORLKNxTCM3ZLhQYVBinOsjIzZ8YlYYOxTn2mWntWzmsdhUeBx+aNCwuhz/cMHjbhWJWVXRDfgzPf9IHtF1FLgjtMiz6/xwzAMEPlE= vej@Vej-Work-MBP.localbash-3.2$ cat id_dsa-----BEGIN DSA PRIVATE KEY-----MIIBwDCCAaYwggEeAoGBAIbuW6wh5hU2W96tEyo7xPDZmslWnsyQBYtf4SSTeHOMTNTxznlMujjkmCuqKJ04BlHFi+ner2qzCd1GkzGhHrretQw1z5Ew8ysAGsmbb9Yc6BMTyhJkrQ2lIR5Vmqa9Ukx0PM/HdXa6GieYZWxyabN5IjN4SESXZ6G7Jb4StwCfAhUAp4/lrq04FuWlxmHj8IQWAFl9NVsCgYBHQpZSsJGKsEII7Oe6RMz5ek27ydHPnrLDqVOmEKqHrIrsYXoTHaMOLW+fvsDBC3q0EWMBNgu4IAZe3eL2Gx2r94+DS+GTfECWiJ3+O76DTAwDcB6fXxdYxG88nJMzCkcMZEmOjbIpuiGP5NC+OOqBv2DEHw7YEWs8Kx4T71mE0AKBgQCGD84H3wVNxhf+BcRyUqqoMHIfMci3vVjsMVmfGeZ3gMURmn9bMnpVPaNM0zJYpFP2HRIhM5Eso3FMIzdkuFBhUGKc6yMjNnxiVhg7FOfaZae1bOax2FR4HH5o0LC6HP9wweNuFYlZVdEN+DM9/0ge0XUUuCO0yLPr/HDMAwQ+UQIURhBIeYLqxL4PJgENdgtjfjxDX80=-----END DSA PRIVATE KEY-----
For 2048, output:
bash-3.2$ cat id_dsa.pubssh-dss AAAAB3NzaC1kc3MAAAEBAKbfrtje1KqerXL0DFg35Ouou2NP08vsuqCbv/cr65X2/AMaDy/Zdikq1rHw1ScWzre0vGTDwnGsFJgNDf3p0ckJqxMN9kop+8a+M1nuQ39LnkHATM+x58jgJaC06VZisLQuMoJvzdOlMPKb1v9TKfSiI0XZujhS5RVl4DkqABEXFsNXOHTIGDXToq80IPf0KV01qvOGBnICzhPkXw5HcCF9rmVD5aPfADjHZfUTt9PJfFcPk06mmfvpOEBfWgaluIDp0Wf5DsKu0RxlZVm4x3iP43hQfJ8NaFRyOKhNxd0r5t5SDUubF2Z37v0QNIvLZPrKsE0AywNkDZ66bf3HigMAAAAdAMjEhWBLtQ+nWfJIO16rpLQZQKBpXePefLrztpUAAAEALJsfHywD5PSfeFUGs901I1Z/yvOuyHQFxJGXEAQJ08CBAGvwcGA1M41sDnbrbOFm8ol91xcnUqW0HMlwDpdHIBxgytlnKlsEw69GqCx1dJAv8LnDokK/zV406I0LLwXzQ3QvfSMtM3VDsIA/jInd273LlXFEG4dmkG1mIP7SBgbzy7jZ4LpH5y8ZSUMFlZ4dXTURj4TAe/ByScaXoVO8QDLaZq5EiSRAomUxLvnwTNJHt/YqQog5EWhQNBUKp5HbPS7pk+KujaUpYwXNZZuhqjp4dmaBYppwCZnrqvsHKq6p8BCt4ZQ/589q0D1Mx0pbgI/sQLvib5jSHJ0jKq7xrAAAAQBzxG2gTr89VeVJBMsconclvXw7vYDxQGBGhZBmKQ6e/s8swxJzzUbpRzoeYGEL1nE28e4Apw6pQFY3XkuvklYTwNHPLwG/5FJV7fc2HJgwVg8/wf5hUrzqlKK9Xhjm2369iKnGig/u28e79oOWgdbqfrjWpNih/aVL60ApdWgxmxC61PGppJ2AXNubaDynhMOx1q+lSH+unu+kLml+c+lbqwZYXmI0t+gFzyyu+pL8DpVEhAG8P/AMCXMDR3JmQhWF7fKiP1QdDMidUODM8keVQaK5txIp9EUAThk0ErigG5ZsIL5V2Z4UistlwQ4WiZYJmz/IlD50+PtkjwBFiA6z vej@Vej-Work-MBP.localbash-3.2$ cat id_dsa-----BEGIN DSA PRIVATE KEY-----MIIDUzCCAzAwggIoAoIBAQCm367Y3tSqnq1y9AxYN+TrqLtjT9PL7Lqgm7/3K+uV9vwDGg8v2XYpKtax8NUnFs63tLxkw8JxrBSYDQ396dHJCasTDfZKKfvGvjNZ7kN/S55BwEzPsefI4CWgtOlWYrC0LjKCb83TpTDym9b/Uyn0oiNF2bo4UuUVZeA5KgARFxbDVzh0yBg106KvNCD39CldNarzhgZyAs4T5F8OR3Ahfa5lQ+Wj3wA4x2X1E7fTyXxXD5NOppn76ThAX1oGpbiA6dFn+Q7CrtEcZWVZuMd4j+N4UHyfDWhUcjioTcXdK+beUg1Lmxdmd+79EDSLy2T6yrBNAMsDZA2eum39x4oDAh0AyMSFYEu1D6dZ8kg7XquktBlAoGld4958uvO2lQKCAQAsmx8fLAPk9J94VQaz3TUjVn/K867IdAXEkZcQBAnTwIEAa/BwYDUzjWwOduts4WbyiX3XFydSpbQcyXAOl0cgHGDK2WcqWwTDr0aoLHV0kC/wucOiQr/NXjTojQsvBfNDdC99Iy0zdUOwgD+Mid3bvcuVcUQbh2aQbWYg/tIGBvPLuNngukfnLxlJQwWVnh1dNRGPhMB78HJJxpehU7xAMtpmrkSJJECiZTEu+fBM0ke39ipCiDkRaFA0FQqnkds9LumT4q6NpSljBc1lm6GqOnh2ZoFimnAJmeuq+wcqrqnwEK3hlD/nz2rQPUzHSluAj+xAu+JvmNIcnSMqrvGsAoIBAHPEbaBOvz1V5UkEyxyidyW9fDu9gPFAYEaFkGYpDp7+zyzDEnPNRulHOh5gYQvWcTbx7gCnDqlAVjdeS6+SVhPA0c8vAb/kUlXt9zYcmDBWDz/B/mFSvOqUor1eGObbfr2IqcaKD+7bx7v2g5aB1up+uNak2KH9pUvrQCl1aDGbELrU8amknYBc25toPKeEw7HWr6VIf66e76QuaX5z6VurBlheYjS36AXPLK76kvwOlUSEAbw/8AwJcwNHcmZCFYXt8qI/VB0MyJ1Q4MzyR5VBorm3Ein0RQBOGTQSuKAblmwgvlXZnhSKy2XBDhaJlgmbP8iUPnT4+2SPAEWIDrMCHQDGpe828eiBg56q0tQup2r3UpgiXevRNEuF0Gbw-----END DSA PRIVATE KEY-----
Can you please tell me how resolve it, and make it works?
答案1
得分: 2
OpenSSH在5年前停止默认支持DSA(也称为ssh-dss);请参考以下链接:
https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys
https://security.stackexchange.com/questions/146379/does-ssh-support-dsa-with-2048-bit-keys
https://superuser.com/questions/1016989/ssh-dsa-keys-no-longer-work-
https://unix.stackexchange.com/questions/247612/ssh-keeps-skipping-my-pubkey-
你可以按照这些问题中的说明或者OpenSSH网站或文档上的说明重新启用它,但是GitHub不会接受它,所以你不能让它工作。(你可以设置自己的服务器,在那里使用它。)
我不知道为什么一些Go代码(库?)不接受2048位的公钥——如果你提供一个参考,我可以尝试查找——但是你的私钥文件是不正确的,我猜测是由于你链接中使用的crypto/dsa中的结构化问题。该密钥被序列化为ASN.1的嵌套序列,即SEQUENCE { pub = SEQUENCE { params = SEQUENCE {p,q,g}, y }, x },这在概念上是一个合理的结构,但是PEM(或伪PEM)类型DSA PRIVATE KEY在SSLeay-now-OpenSSL中被定义为使用单层结构:SEQUENCE { p,q,g, y, x }。
英文:
OpenSSH stopped supporting DSA (aka ssh-dss) by default over 5 years ago; see
https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys
https://security.stackexchange.com/questions/146379/does-ssh-support-dsa-with-2048-bit-keys
https://superuser.com/questions/1016989/ssh-dsa-keys-no-longer-work-
https://unix.stackexchange.com/questions/247612/ssh-keeps-skipping-my-pubkey-
You can reenable it on your client following instructions on Qs like those or the openssh website or documentation, but github won't accept it so you can't make that work. (You could set up your own server, and use it there.)
I don't know why some go code (library?) doesn't accept the 2048-bit publickey -- if you give a reference I could try to loook -- but (both) your privatekey files are incorrect, I'm guessing due to the structuring used in crypto/dsa shown at your link. The key is being marshalled (serialized) to ASN.1 as nested sequences, namely SEQUENCE { pub = SEQUENCE { params = SEQUENCE {p,q,g}, y }, x } which conceptually is a reasonable structure, but the PEM (or pseudo-PEM) type DSA PRIVATE KEY is de-facto defined by SSLeay-now-OpenSSL as using a single level: SEQUENCE { p,q,g, y, x } .
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论