在Golang中为OpenSSH生成DSA密钥

huangapple go评论113阅读模式
英文:

Generate DSA Keys for OpenSSH in Golang

问题

这段代码的问题主要有两个:

  1. 对于2048位长度的密钥,无法通过ssh.ParseAuthorizedKey加载公钥,会出现错误:"ssh: no key found"。
  2. OpenSSH客户端和GitHub SSH无法接受该密钥。

要解决这个问题,你可以尝试以下方法:

  1. 对于第一个问题,你可以尝试使用ssh.ParsePublicKey函数来解析公钥,而不是使用ssh.ParseAuthorizedKey。这样可能能够成功加载公钥。

  2. 对于第二个问题,你可以尝试将生成的密钥添加到OpenSSH客户端和GitHub SSH的授权密钥列表中。具体的步骤可以参考OpenSSH和GitHub SSH的文档。

希望这些信息对你有所帮助!如果你还有其他问题,请随时提问。

英文:

I read through a few examples to generate DSA keys for OpenSSH in Go. And my clean code snippet and outputs are listed below.

It has two problems:

  1. for 2048-bit length, the public key can't be loaded via ssh.ParseAuthorizedKey, for error: "ssh: no key found".
  2. OpenSSH client and GitHub SSH can't accept it.

Code snippets:

  1. // GenerateDSAKeys generates DSA public and private key pair with given size for SSH.
  2. func GenerateDSAKeys(bitSize int, passphrase string) (pubKey string, privKey string, err error) {
  3. params := new(dsa.Parameters)
  4. // see http://golang.org/pkg/crypto/dsa/#ParameterSizes
  5. if err = dsa.GenerateParameters(params, rand.Reader, dsaSizeFromLength(bitSize)); err != nil {
  6. return
  7. }
  8. var privateKey dsa.PrivateKey
  9. privateKey.PublicKey.Parameters = *params
  10. // this generates a public & private key pair
  11. if err = dsa.GenerateKey(&privateKey, rand.Reader); err != nil {
  12. return
  13. }
  14. // generate public key
  15. var publicKey ssh.PublicKey
  16. if publicKey, err = ssh.NewPublicKey(&privateKey.PublicKey); err != nil {
  17. return
  18. }
  19. // encode public key
  20. pubBytes := ssh.MarshalAuthorizedKey(publicKey)
  21. // encode private key
  22. var (
  23. bytes []byte
  24. privBytes []byte
  25. )
  26. if bytes, err = asn1.Marshal(privateKey); err != nil {
  27. return
  28. }
  29. privBytes, err = encodePEMBlock(&pem.Block{
  30. Type: "DSA PRIVATE KEY",
  31. Bytes: bytes,
  32. }, passphrase)
  33. if err != nil {
  34. return
  35. }
  36. return string(pubBytes), string(privBytes), nil
  37. }
  38. func dsaSizeFromLength(l int) dsa.ParameterSizes {
  39. switch l {
  40. case 1024:
  41. return dsa.L1024N160
  42. case 2048:
  43. return dsa.L2048N224
  44. case 3072:
  45. return dsa.L3072N256
  46. default:
  47. return dsa.L2048N256
  48. }
  49. }

Output for 1024:

  1. bash-3.2$ cat id_dsa.pub
  2. ssh-dss AAAAB3NzaC1kc3MAAACBAIbuW6wh5hU2W96tEyo7xPDZmslWnsyQBYtf4SSTeHOMTNTxznlMujjkmCuqKJ04BlHFi+ner2qzCd1GkzGhHrretQw1z5Ew8ysAGsmbb9Yc6BMTyhJkrQ2lIR5Vmqa9Ukx0PM/HdXa6GieYZWxyabN5IjN4SESXZ6G7Jb4StwCfAAAAFQCnj+WurTgW5aXGYePwhBYAWX01WwAAAIBHQpZSsJGKsEII7Oe6RMz5ek27ydHPnrLDqVOmEKqHrIrsYXoTHaMOLW+fvsDBC3q0EWMBNgu4IAZe3eL2Gx2r94+DS+GTfECWiJ3+O76DTAwDcB6fXxdYxG88nJMzCkcMZEmOjbIpuiGP5NC+OOqBv2DEHw7YEWs8Kx4T71mE0AAAAIEAhg/OB98FTcYX/gXEclKqqDByHzHIt71Y7DFZnxnmd4DFEZp/WzJ6VT2jTNMyWKRT9h0SITORLKNxTCM3ZLhQYVBinOsjIzZ8YlYYOxTn2mWntWzmsdhUeBx+aNCwuhz/cMHjbhWJWVXRDfgzPf9IHtF1FLgjtMiz6/xwzAMEPlE= vej@Vej-Work-MBP.local
  3. bash-3.2$ cat id_dsa
  4. -----BEGIN DSA PRIVATE KEY-----
  5. MIIBwDCCAaYwggEeAoGBAIbuW6wh5hU2W96tEyo7xPDZmslWnsyQBYtf4SSTeHOM
  6. TNTxznlMujjkmCuqKJ04BlHFi+ner2qzCd1GkzGhHrretQw1z5Ew8ysAGsmbb9Yc
  7. 6BMTyhJkrQ2lIR5Vmqa9Ukx0PM/HdXa6GieYZWxyabN5IjN4SESXZ6G7Jb4StwCf
  8. AhUAp4/lrq04FuWlxmHj8IQWAFl9NVsCgYBHQpZSsJGKsEII7Oe6RMz5ek27ydHP
  9. nrLDqVOmEKqHrIrsYXoTHaMOLW+fvsDBC3q0EWMBNgu4IAZe3eL2Gx2r94+DS+GT
  10. fECWiJ3+O76DTAwDcB6fXxdYxG88nJMzCkcMZEmOjbIpuiGP5NC+OOqBv2DEHw7Y
  11. EWs8Kx4T71mE0AKBgQCGD84H3wVNxhf+BcRyUqqoMHIfMci3vVjsMVmfGeZ3gMUR
  12. mn9bMnpVPaNM0zJYpFP2HRIhM5Eso3FMIzdkuFBhUGKc6yMjNnxiVhg7FOfaZae1
  13. bOax2FR4HH5o0LC6HP9wweNuFYlZVdEN+DM9/0ge0XUUuCO0yLPr/HDMAwQ+UQIU
  14. RhBIeYLqxL4PJgENdgtjfjxDX80=
  15. -----END DSA PRIVATE KEY-----

For 2048, output:

  1. bash-3.2$ cat id_dsa.pub
  2. ssh-dss AAAAB3NzaC1kc3MAAAEBAKbfrtje1KqerXL0DFg35Ouou2NP08vsuqCbv/cr65X2/AMaDy/Zdikq1rHw1ScWzre0vGTDwnGsFJgNDf3p0ckJqxMN9kop+8a+M1nuQ39LnkHATM+x58jgJaC06VZisLQuMoJvzdOlMPKb1v9TKfSiI0XZujhS5RVl4DkqABEXFsNXOHTIGDXToq80IPf0KV01qvOGBnICzhPkXw5HcCF9rmVD5aPfADjHZfUTt9PJfFcPk06mmfvpOEBfWgaluIDp0Wf5DsKu0RxlZVm4x3iP43hQfJ8NaFRyOKhNxd0r5t5SDUubF2Z37v0QNIvLZPrKsE0AywNkDZ66bf3HigMAAAAdAMjEhWBLtQ+nWfJIO16rpLQZQKBpXePefLrztpUAAAEALJsfHywD5PSfeFUGs901I1Z/yvOuyHQFxJGXEAQJ08CBAGvwcGA1M41sDnbrbOFm8ol91xcnUqW0HMlwDpdHIBxgytlnKlsEw69GqCx1dJAv8LnDokK/zV406I0LLwXzQ3QvfSMtM3VDsIA/jInd273LlXFEG4dmkG1mIP7SBgbzy7jZ4LpH5y8ZSUMFlZ4dXTURj4TAe/ByScaXoVO8QDLaZq5EiSRAomUxLvnwTNJHt/YqQog5EWhQNBUKp5HbPS7pk+KujaUpYwXNZZuhqjp4dmaBYppwCZnrqvsHKq6p8BCt4ZQ/589q0D1Mx0pbgI/sQLvib5jSHJ0jKq7xrAAAAQBzxG2gTr89VeVJBMsconclvXw7vYDxQGBGhZBmKQ6e/s8swxJzzUbpRzoeYGEL1nE28e4Apw6pQFY3XkuvklYTwNHPLwG/5FJV7fc2HJgwVg8/wf5hUrzqlKK9Xhjm2369iKnGig/u28e79oOWgdbqfrjWpNih/aVL60ApdWgxmxC61PGppJ2AXNubaDynhMOx1q+lSH+unu+kLml+c+lbqwZYXmI0t+gFzyyu+pL8DpVEhAG8P/AMCXMDR3JmQhWF7fKiP1QdDMidUODM8keVQaK5txIp9EUAThk0ErigG5ZsIL5V2Z4UistlwQ4WiZYJmz/IlD50+PtkjwBFiA6z vej@Vej-Work-MBP.local
  3. bash-3.2$ cat id_dsa
  4. -----BEGIN DSA PRIVATE KEY-----
  5. MIIDUzCCAzAwggIoAoIBAQCm367Y3tSqnq1y9AxYN+TrqLtjT9PL7Lqgm7/3K+uV
  6. 9vwDGg8v2XYpKtax8NUnFs63tLxkw8JxrBSYDQ396dHJCasTDfZKKfvGvjNZ7kN/
  7. S55BwEzPsefI4CWgtOlWYrC0LjKCb83TpTDym9b/Uyn0oiNF2bo4UuUVZeA5KgAR
  8. FxbDVzh0yBg106KvNCD39CldNarzhgZyAs4T5F8OR3Ahfa5lQ+Wj3wA4x2X1E7fT
  9. yXxXD5NOppn76ThAX1oGpbiA6dFn+Q7CrtEcZWVZuMd4j+N4UHyfDWhUcjioTcXd
  10. K+beUg1Lmxdmd+79EDSLy2T6yrBNAMsDZA2eum39x4oDAh0AyMSFYEu1D6dZ8kg7
  11. XquktBlAoGld4958uvO2lQKCAQAsmx8fLAPk9J94VQaz3TUjVn/K867IdAXEkZcQ
  12. BAnTwIEAa/BwYDUzjWwOduts4WbyiX3XFydSpbQcyXAOl0cgHGDK2WcqWwTDr0ao
  13. LHV0kC/wucOiQr/NXjTojQsvBfNDdC99Iy0zdUOwgD+Mid3bvcuVcUQbh2aQbWYg
  14. /tIGBvPLuNngukfnLxlJQwWVnh1dNRGPhMB78HJJxpehU7xAMtpmrkSJJECiZTEu
  15. +fBM0ke39ipCiDkRaFA0FQqnkds9LumT4q6NpSljBc1lm6GqOnh2ZoFimnAJmeuq
  16. +wcqrqnwEK3hlD/nz2rQPUzHSluAj+xAu+JvmNIcnSMqrvGsAoIBAHPEbaBOvz1V
  17. 5UkEyxyidyW9fDu9gPFAYEaFkGYpDp7+zyzDEnPNRulHOh5gYQvWcTbx7gCnDqlA
  18. VjdeS6+SVhPA0c8vAb/kUlXt9zYcmDBWDz/B/mFSvOqUor1eGObbfr2IqcaKD+7b
  19. x7v2g5aB1up+uNak2KH9pUvrQCl1aDGbELrU8amknYBc25toPKeEw7HWr6VIf66e
  20. 76QuaX5z6VurBlheYjS36AXPLK76kvwOlUSEAbw/8AwJcwNHcmZCFYXt8qI/VB0M
  21. yJ1Q4MzyR5VBorm3Ein0RQBOGTQSuKAblmwgvlXZnhSKy2XBDhaJlgmbP8iUPnT4
  22. +2SPAEWIDrMCHQDGpe828eiBg56q0tQup2r3UpgiXevRNEuF0Gbw
  23. -----END DSA PRIVATE KEY-----

Can you please tell me how resolve it, and make it works?

答案1

得分: 2

OpenSSH在5年前停止默认支持DSA(也称为ssh-dss);请参考以下链接:
https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys
https://security.stackexchange.com/questions/146379/does-ssh-support-dsa-with-2048-bit-keys
https://superuser.com/questions/1016989/ssh-dsa-keys-no-longer-work-
https://unix.stackexchange.com/questions/247612/ssh-keeps-skipping-my-pubkey-
你可以按照这些问题中的说明或者OpenSSH网站或文档上的说明重新启用它,但是GitHub不会接受它,所以你不能让它工作。(你可以设置自己的服务器,在那里使用它。)

我不知道为什么一些Go代码(库?)不接受2048位的公钥——如果你提供一个参考,我可以尝试查找——但是你的私钥文件是不正确的,我猜测是由于你链接中使用的crypto/dsa中的结构化问题。该密钥被序列化为ASN.1的嵌套序列,即SEQUENCE { pub = SEQUENCE { params = SEQUENCE {p,q,g}, y }, x },这在概念上是一个合理的结构,但是PEM(或伪PEM)类型DSA PRIVATE KEY在SSLeay-now-OpenSSL中被定义为使用单层结构:SEQUENCE { p,q,g, y, x }。

英文:

OpenSSH stopped supporting DSA (aka ssh-dss) by default over 5 years ago; see
https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys
https://security.stackexchange.com/questions/146379/does-ssh-support-dsa-with-2048-bit-keys
https://superuser.com/questions/1016989/ssh-dsa-keys-no-longer-work-
https://unix.stackexchange.com/questions/247612/ssh-keeps-skipping-my-pubkey-
You can reenable it on your client following instructions on Qs like those or the openssh website or documentation, but github won't accept it so you can't make that work. (You could set up your own server, and use it there.)

I don't know why some go code (library?) doesn't accept the 2048-bit publickey -- if you give a reference I could try to loook -- but (both) your privatekey files are incorrect, I'm guessing due to the structuring used in crypto/dsa shown at your link. The key is being marshalled (serialized) to ASN.1 as nested sequences, namely SEQUENCE { pub = SEQUENCE { params = SEQUENCE {p,q,g}, y }, x } which conceptually is a reasonable structure, but the PEM (or pseudo-PEM) type DSA PRIVATE KEY is de-facto defined by SSLeay-now-OpenSSL as using a single level: SEQUENCE { p,q,g, y, x } .

huangapple
  • 本文由 发表于 2021年12月17日 15:36:45
  • 转载请务必保留本文链接:https://go.coder-hub.com/70389802.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定