Bug 1722285

Summary: ssh-keygen does not generate PEM formatted keys
Product: [Fedora] Fedora Reporter: Sam Doran <sdoran>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 30CC: dwalsh, jfch, jjelen, lkundrak, ltoscano, mattias.ellert, plautrba, tmraz
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-8.0p1-5.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-27 01:39:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sam Doran 2019-06-19 22:03:55 UTC 
Description of problem:
Running ssh-keygen with -m PEM does not generate a key in PEM format.


Version-Release number of selected component (if applicable):
openssh-8.0p1-4


How reproducible:
Every time


Steps to Reproduce:
1. Run ssh-keygen -t rsa -N '' -m PEM -q -f ~/.ssh/format_pem
2. Inspect the ASN.1 structure of the key


Actual results:
The generated key is not PEM formatted.


Expected results:
The generated key to be PEM formatted


Additional info:
Here are some example keys generated on different versions of Fedora and openssh.

https://gist.github.com/samdoran/0386c19d50aab9886d72f7844fce2494
Comment 1 Jakub Jelen 2019-06-20 07:55:53 UTC 
It is not the "traditional" legacy PEM format (requiring the use of MD5 and other ancient stuff), but the standard PKCS #8 PEM format. This is not a bug, but feature.
Comment 2 Luigi Toscano 2019-07-22 17:16:57 UTC 
But then this change broke paramiko, which does not support yet the new format:

https://github.com/paramiko/paramiko/issues/602
https://github.com/paramiko/paramiko/blob/master/paramiko/pkey.py#L285

I know that it is annoying and newer security standard are better, but can you please reconsider this decision?
Comment 3 Jakub Jelen 2019-07-23 07:07:14 UTC 
The upstream modified my proposed patch to support both formats [1], which is probably even better. I will change this to match upstream behavior:

https://bugzilla.mindrot.org/show_bug.cgi?id=3013

I am sorry for an inconvenience.
Comment 4 Fedora Update System 2019-07-23 09:03:36 UTC 
FEDORA-2019-d3dfcbf0f0 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d3dfcbf0f0
Comment 5 Fedora Update System 2019-07-24 01:44:24 UTC 
openssh-8.0p1-5.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d3dfcbf0f0
Comment 6 Fedora Update System 2019-07-27 01:39:44 UTC 
openssh-8.0p1-5.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.