Java SSH and the new OpenSSH Private Key Format

Posted on by Lee David Painter
a public and private key pictured either side of a door leading to personal data

With the release of OpenSSH 7.8, the default private key format for private keys generated from ssh-keygen has changed from OpenSSL compatible PEM files to a custom key format created by the OpenSSH developers. At the time of writing, the majority of open-source Java SSH APIs will need the keys converting back to the old format before the keys can be used.

Take the standard command-line to generate a 2048 bit RSA key with OpenSSH 7.8 or above.

ssh-keygen -t rsa -b 2048

This command-line generates a key that looks like this:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAAB
....
-----END OPENSSH PRIVATE KEY-----

If you need to use the old format file still when generating new keys, you can use a new command-line option to specify the type of format required.

ssh-keygen -m pem -t rsa 2048

This command-line generates the old-style PEM format that is compatible with most Java SSH APIs.

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAt3/kgJSbeb+aPI+ZuMqYnJMwFeAbppeEq4iaPN/QU
...
-----END RSA PRIVATE KEY-----

While end-users may be willing to do this in the short-term, the solution is to use a Java SSH API that supports this new format.

The Maverick Legacy commercial Java SSH APIs have supported the new format since version 1.7.20. With both reading and key generation support for all the algorithms supported by OpenSSH, namely, RSA, ECDSA, and ED25519.

The Maverick Synergy open-source Java SSH API also supports the same algorithms for reading and key generation. With both APIs, the default is to generate new keys with the new format.

To generate a new ed25519 key pair with Maverick Synergy, it’s as simple as

      SshKeyPair pair = SshKeyPairGenerator.generateKeyPair(SshKeyPairGenerator.ED25519);

Then to store these on file for later use:

      SshKeyUtils.createPrivateKeyFile(pair, "my passphrase", 
            new File(System.getProperty("user.home"), ".ssh/ssh_ed25519")); 

      SshKeyUtils.createPublicKeyFile(pair.getPublicKey(), "Generated by Maverick Synergy", 
            new File(System.getProperty("user.home"), ".ssh/ssh_ed25519.pub"));

We can then load them to use in SSH authentication with the API using:

      SshKeyPair pair = SshKeyUtils.getPrivateKey(new File(System.getProperty("user.home"), 
            ".ssh/ssh_ed25519"), "my passphrase");

For more information on Maverick Synergy, including download and API documentation, please visit https://www.jadaptive.com/en/products/java-ssh-synergy

Posted in SSH