Convert OpenSSH private key into SSH2 private key
This tutorial titled: SSH: Convert OpenSSH to SSH2 and vise versa appears to offer what you're looking for.
Convert OpenSSH key to SSH2 key
Run the OpenSSH version of ssh-keygen
on your OpenSSH public key to convert it into the format needed by SSH2 on the remote machine. This must be done on the system running OpenSSH.
$ ssh-keygen -e -f ~/.ssh/id_dsa.pub > ~/.ssh/id_dsa_ssh2.pub
Convert SSH2 key to OpenSSH key
Run the OpenSSH version of ssh-keygen
on your ssh2 public key to convert it into the format needed by OpenSSH. This needs to be done on the system running OpenSSH.
$ ssh-keygen -i -f ~/.ssh/id_dsa_1024_a.pub > ~/.ssh/id_dsa_1024_a_openssh.pub
The tutorial goes on to show how to both generate the various types of keys and how to export them to other formats.
Use this for private & public keys?
According to the man page, the answer would be a yes. Looking at the man page for ssh-keygen
it states the following for the -e
switch:
-e This option will read a private or public OpenSSH key file and print
the key in RFC 4716 SSH Public Key File Format to stdout. This option
allows exporting keys for use by several commercial SSH implementations.
But in practice it would appear that ssh-keygen
can't convert private keys, only public ones.
For example:
# Make a new RSA key-pair
$ ssh-keygen -t rsa -f newkey
# attempt to extract the private key
$ ssh-keygen -e -f newkey > newkey_e
# attempt to extract the public key
$ ssh-keygen -e -f newkey.pub > newkey.pub_e
# Notice the supposed extracted private key (newkey_e) and the corresponding extracted public key (newkey.pub_e) have identical `md5sum`'s.
$ for i in *;do md5sum $i;done
d1bd1c12c4a2b9fee4b5f8f83150cf1a newkey
8b67a7be646918afc7a041119e863be5 newkey_e
13947789d5dcc5322768bd8a2d3f562a newkey.pub
8b67a7be646918afc7a041119e863be5 newkey.pub_e
Looking at the resulting extracted keys confirms this:
$ grep BEGIN newkey_e newkey.pub_e
newkey_e:---- BEGIN SSH2 PUBLIC KEY ----
newkey.pub_e:---- BEGIN SSH2 PUBLIC KEY ----
Googling a bit I came across this blurb from an article titled: How do you convert OpenSSH Private key files to SSH. The site seemed to be up and down but looking in Google's cache for this page I found the following blurb:
How do you convert OpenSSH Private key files to SSH.com Private key files?
It cannot be done by the ssh-keygen program even though most man pages say it can. They discourage it so that you will use multiple public keys. The only problem is that RCF will not allow you to register more than one public key.
The article goes on to cover a method for converting a openssh private key to a ssh.com private key through the use of PuTTY's puttygen
tool. NOTE: puttygen
can be run from Windows & Linux.
Open 'puttygen' and generate a 2048 bit rsa public/private key pair. Make sure you add a password after it is generated. Save the public key as "puttystyle.pub" and save the private key as "puttystyle". The putty program and SSH.com programs share a common public-key format but the putty program and OpenSSH have different public-key formats. We will come back to this, later. You should be able to load both puttystyle keys into the putty program. However, the private key formats for putty and SSH.com are not the same and so you will have to create a converted file. Go to the conversions menu and export an SSH.com key. Save it as "sshstyle". Now go back to the conversions menu and export an openssh key. Save it as "openssh". These names are arbitrary and you can choose your own. You will have to change the names for installation on an OpenSSH machine, later. See below.
Given the above I worked out the following using puttygen
, using our previously generated private/public openssh key-pair:
# generate ssh.com private key from private openssh key
$ puttygen newkey -O private-sshcom -o newkey.puttygen-sshcom
# generate ssh.com public key from private openssh key
$ puttygen newkey -O public -o newkey.pub_puttygen-sshcom
# generate openssh public key from private openssh key (for confirmation)
$ puttygen newkey -O public-openssh -o newkey.pub_puttygen-openssh
The commenting is different so you can't just compare the resulting files, so if you look at the first few lines of the keys, that's a pretty good indicator that the above commands were successful.
Comparison of public ssh.com keys:
$ tail -n +3 newkey.pub_e | head -1 | cut -c 1-60
AAAAB3NzaC1yc2EAAAADAQABAAABAQDFkZdpmbze9c6pT883rE1i64TJd4wb
$ tail -n +3 newkey.pub_puttygen-sshcom | head -1 | cut -c 1-60
AAAAB3NzaC1yc2EAAAADAQABAAABAQDFkZdpmbze9c6pT883rE1i64TJd4wb
Comparison of public openssh keys:
$ cut -c 1-100 newkey.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFkZdpmbze9c6pT883rE1i64TJd4wbz9x/w6I2DmSZVI9TJa6M9jgGE952QsOY
$ cut -c 1-100 newkey.pub_puttygen-openssh
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFkZdpmbze9c6pT883rE1i64TJd4wbz9x/w6I2DmSZVI9TJa6M9jgGE952QsOY
ssh-keygen
will not export a private key in pem format, but it will convert an existing openssh private key to pem format, overwriting the original. All you have to do is edit the password.
The command to convert your ~/.ssh/id_rsa
file from OpenSSH format to SSH2 (pem) format is:
ssh-keygen -p -f ~/.ssh/id_rsa -m pem
Then supply the (old) and new passphrase at the prompt. They can be the same, or even both be blank. Or you can supply them on the command-line using the -P
(old passphrase) and -N
(new passphrase) options. For example, if the passphrase is blank, and you want to keep it that way:
ssh-keygen -p -P '' -N ''-f ~/.ssh/id_rsa -m pem