Converting an SSH1 key to SSH2, and OpenSSH key formats

Background:

There comes a time when old standards fade away, and new ones come into play. For example, version 1 of the SSH protocol has some less-desired properties. And so version 2 came out. And as time went on, some sites no longer supported SSHv1. For most users who use passwords, this went quite smoothly. For most people using SSH keys, they could log in with a password, generate a new key, or whatever, and use that. For a few others, who either forgot their password, or only allow logins with keys, this becomes a problem.

Summary:

This document explains how to convert one's key to be supported by the newer format, as SSHv1 keys cannot be used directly in SSH2-only environments.

Here are ways you can use your key unmodified on the Open Computing Facility machines:

using the old ssh program (may not be available on all hosts)

$ ssh1 host

using OpenSSH, which is now the default ssh.

$ ssh -1 host

$ openssh -1 host

From here on out, I will refer to the programs by the full name, in order to avoid confusing by using the generic 'ssh' or 'ssh-keygen' names.

Convert your key to SSH2 format:

$ ssh-keygen2 -1 .ssh/identity
Passphrase :
Successfully saved private key to .ssh/identity_ssh2
Successfully converted public key to .ssh/identity_ssh2.pub
$ mkdir .ssh2/
$ mv .ssh/identity_ssh2 .ssh/identity_ssh2.pub .ssh2

Now you can use ssh2 to connect to a machine:

$ ssh2 ocf
Passphrase for key "/home/d/dw/dwc/.ssh2/identity_ssh2" with comment "dwc@OCF.Berkeley.EDU":

You may need to make some changes to add your key in the new format to your .ssh/authorized_keys file (or SSH2 equivalent) on the remote systems. Continue reading to see how.

You can convert your key to OpenSSH format:

Oddly, I haven't found an option in OpenSSH to convert that key to its format, even though it will let you use it in SSHv1 compatibility mode. However, it will import SSHv2 keys from the commercial SSH2 implemenation (the keys created above).

There's an option in openssh-keygen that will convert them. However, first you must remove the passphrase from the key.

$ ssh-keygen2 -e .ssh/identity_ssh2
Passphrase needed for key "-".
Passphrase :
Do you want to edit key "-" (yes or no)? yes
Your key comment is "-". Do you want to edit it (yes or no)? no
Do you want to edit passphrase (yes or no)? yes
New passphrase :
Again :
Do you want to continue editing key "-" (yes or no)? no
Do you want to save key "-" to file .ssh/identity_ssh2 (yes or no)? yes
$

Then, you can convert the private key...

$ umask 077 #to prevent other people from reading this unprotected key
$ openssh-keygen -i -f .ssh/identity_ssh2 > .ssh/id_rsa
$

And the public key. This is also the new key to put into your .ssh/authorized_keys

$ openssh-keygen -i -f .ssh/identity_ssh2.pub > .ssh/id_rsa.pub
$

And now to re-encrypt your private key with a passphrase to protect it.

$ openssh-keygen -p -f .ssh/id_rsa
Key has comment 'id_rsa'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
$

Connecting to hosts with SSHv2

If you see something like this:

$ openssh foo.com
WARNING: RSA1 key found for host foo.com
in /home/d/dw/dwc/.ssh/known_hosts:1
RSA1 key fingerprint 7d:97:68:28:29:71:b9:58:c5:d6:bd:ab:b9:fe:51:5c.
The authenticity of host 'foo.com (127.0.0.1)' can't be established
but keys of different type are already known for this host.
RSA key fingerprint is f6:b4:f6:33:46:c5:83:ad:f1:5d:d7:f9:ce:8a:cc:81.
Are you sure you want to continue connecting (yes/no)?

You should try to validate that this key is correct. Either through some other means first, or by something like:

$ openssh -1
foo.com ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

Enter passphrase for RSA key '/home/d/dw/dwc/.ssh/identity': 

1024
f6:b4:f6:33:46:c5:83:ad:f1:5d:d7:f9:ce:8a:cc:81
/etc/ssh/ssh_host_rsa_key.pub