I know how to do it in Yubikey, but I have a YubiHSM2. Don't know how to do it.
The following is for Yubikey, not for YubiHSM
$ yubico-piv-tool -a import-key -s 9c -i root.key
Ok, I got it. Use yubihsm-shell
yubihsm> put asymmetric 0 0 mykey 1 sign-pkcs rsa.pem
Related
How to know the SSH key's length?
I'm getting the following error for my git pull just recently,
$ git pull
> GitLab: Your SSH key must be at least 2048 bits.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
where everything had been working fine before.
Instead of guessing (or trial-n-error) which key is the culprit, is it possible to list all my SSH keys' length?
UPDATE:
Only git pull is giving me above error. I.e., my public key is still fine:
$ ssh -T git#salsa.debian.org
Welcome to GitLab, #myid-guest!
The ssh-keygen -lf might not be the answer, as I'm following https://docs.gitlab.com/ee/ssh/, who recommends to use ed25519 as default key, and who also instructs that, to generate a new ED25519 SSH key pair, do ssh-keygen -t ed25519 -C "email#example.com". However, my ssh-keygen -lf reports that
$ ssh-keygen -lf id_ed25519.pub
256 SHA256:PO2bk6B...
It is unlikely that the recommend ED25519 SSH key is only 256 bits long.

Can you try
ssh-keygen -lf keygen.pub
You might have accidentally deleted the public key that Gitlab uses to authenticate you.
I would recommend contacting them, otherwise look up into it.
I have 2 systems that I use almost daily. One is desktop located within office premises and another one is laptop. Both are running Ubuntu LTS linux.
I know that SSH keys generated on one system can be copied to another system and it won't break anything like pushing/committing. But I don't want to do that. I need to track from which system I had push/committed the code.
To achieve that I have added 2 diff. emails to my GitHub account.
john+desktop#gmail.com
john+laptop#gmail.com
Now I need to generate diff. SSH keys on desktop and laptop, but I don't know how to do that.
A friend of mine suggested me to read this article. Step 2 shows following code
ssh-keygen -t rsa -b 4096 -C "your_email#example.com"
# Creates a new ssh key, using the provided email as a label
Generating public/private rsa key pair.
Above command has provision to pass email address, but it mentions email address as a label. I didn't understand label part of the command.
Should below commands solve my query?
ssh-keygen -t rsa -b 4096 -C "john+desktop#gmail.com"
ssh-keygen -t rsa -b 4096 -C "john+laptop#gmail.com"
According to the ssh-keygen manual the -C parameter is used to provide a comment.
-C comment
Provides a new comment.
This comment is useful to remember what the key is for. On github, setting the comment to the email helps you remember for which email account you are using that specific key.
Your commands will definitely solve your problem but also theese will do the trick
ssh-keygen -t rsa -b 4096 -C "github key number desktop"
ssh-keygen -t rsa -b 4096 -C "github key number laptop"
You can change the comment later by editing the pub file with any text editor.
This is my code:
ssh-keygen -t rsa -C "$APP"
This works perfectly. However it then asks me to specify location and password. I was hoping I can automate this all in one go, however this command fails:
ssh-keygen -t rsa -C "$APP" -P "$SSHKEYPASS" -T ~/.ssh/id_rsa.pub
This command seems to fail though, when I specify the password I want for the key and location in the same line. I don't really understand the man page:
http://linux.die.net/man/1/ssh-keygen
Can anyone tell me where I have gone wrong?
-P is for the old passphrase, to create a key I assume you want -N for the new passphrase.
-T is for DH group test output it appears (not that I know what that is exactly).
You want -f to specify the key filename. And you specify the private key file not the public key file.
So try:
ssh-keygen -t rsa -C "$APP" -N "$SSHKEYPASS" -f ~/.ssh/id_rsa
I have a 16 byte character that I would like to encrypt using openssl into a 16 byte encrypted string.
This encrypted string ( in human readable format ) then needs to be supplied to a user who would use it, and the string would be decrypted to its original 16-byte form for comparison and authentication. Could anyone please tell me how this would be possible with openssl commandline.
Here's one way to encrypt a string with openssl on the command line (must enter password twice):
echo -n "aaaabbbbccccdddd" | openssl enc -e -aes-256-cbc -a -salt
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
Here's what the output looks like:
U2FsdGVkX1/6LATntslD80T2HEIn3A0BqxarNfwbg31D2kI00dYbmBo8Mqt42PIm
Edit: To my knowledge, you can't control the number of bytes out. You can b64 or hex encode it, but that's about it. Also, if you want to save that string to a file rather than stdout, use the -out option.
Try this:
echo 'foo' | openssl aes-256-cbc -a -salt
echo 'U2FsdGVkX1/QGdl4syQE8bLFSr2HzoAlcG299U/T/Xk=' | openssl aes-256-cbc -a -d -salt
Run
openssl list-cipher-commands
to list all available ciphers.
I have a 16 byte character that I would like to encrypt using openssl into a 16 byte encrypted string [in human readable format]
I believe you are looking for Format Preserving Encryption. I think the caveat is you have to start with a 16-byte human readable string. Phillip Rogaway has a paper on the technologies: Synopsis of
Format-Preserving Encryption. There's a lot to the paper, and it can't fit into a single paragraph on Stack Overflow.
If you can start with a shorter string and use a streaming mode like OCB, OFB or CTR, then you can Base64 encode the final string so that the result is 16-bytes and human readable. Base64 expands at a rate of 3 → 4 (3 un-encoded expands to 4 encoded), so you'd need a shorter string of length 12 characters to achieve 16 human readable characters.
As far as I know, there are no command line tools that do it natively. You may be able to use OpenSSL on the command line with AES/CTR and pipe it through base64 command. The following gets close, but it starts with 11 characters (and not 12):
$ echo 12345678901 | openssl enc -e -base64 -aes-128-ctr -nopad -nosalt -k secret_password
cSTzU8+UPQQwpRAq
Also, you really need to understand te -k option (and -K for that matter), and how it derives a key so you can do it outside of the OpenSSL command (if needed).
try this
$ echo "a_byte_character" | openssl enc -base64
and you have 100+ Cipher Types
-aes-128-cbc -aes-128-cfb -aes-128-cfb1
-aes-128-cfb8 -aes-128-ctr -aes-128-ecb
-aes-128-gcm -aes-128-ofb -aes-128-xts
-aes-192-cbc -aes-192-cfb -aes-192-cfb1
-aes-192-cfb8 -aes-192-ctr -aes-192-ecb
-aes-192-gcm -aes-192-ofb -aes-256-cbc
-aes-256-cfb -aes-256-cfb1 -aes-256-cfb8
-aes-256-ctr -aes-256-ecb -aes-256-gcm
-aes-256-ofb -aes-256-xts -aes128
-aes192 -aes256 -bf
-bf-cbc -bf-cfb -bf-ecb
-bf-ofb -blowfish -camellia-128-cbc
-camellia-128-cfb -camellia-128-cfb1 -camellia-128-cfb8
-camellia-128-ecb -camellia-128-ofb -camellia-192-cbc
-camellia-192-cfb -camellia-192-cfb1 -camellia-192-cfb8
-camellia-192-ecb -camellia-192-ofb -camellia-256-cbc
-camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8
-camellia-256-ecb -camellia-256-ofb -camellia128
-camellia192 -camellia256 -cast
-cast-cbc -cast5-cbc -cast5-cfb
-cast5-ecb -cast5-ofb -des
-des-cbc -des-cfb -des-cfb1
-des-cfb8 -des-ecb -des-ede
-des-ede-cbc -des-ede-cfb -des-ede-ofb
-des-ede3 -des-ede3-cbc -des-ede3-cfb
-des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ofb
-des-ofb -des3 -desx
-desx-cbc -id-aes128-GCM -id-aes192-GCM
-id-aes256-GCM -rc2 -rc2-40-cbc
-rc2-64-cbc -rc2-cbc -rc2-cfb
-rc2-ecb -rc2-ofb -rc4
-rc4-40 -rc4-hmac-md5 -seed
-seed-cbc -seed-cfb -seed-ecb
-seed-ofb
I had trouble getting it working using echo with -n. This worked for me:
To encrypt:
echo "PLAINTEXT_STRING" | openssl enc -aes256 -pbkdf2 -base64
you'll be prompted to provide a decryption password.
To decrypt:
echo "ENCRYPTED_STRING" | openssl aes-256-cbc -d -pbkdf2 -a
enter the decryption password to decrypt.
I just installed ubuntu and would like to set its rsa keys up with bitbucket/github. When I ssh-keygen the keys are generated as they should be
ssh-rsa AA...yBEz3pLL georgemauer#ubuntu
which is perfectly usable except the username part. In every rsa key I've generated previously, the username section read my email address:
ssh-rsa AA...yBEz3pLL gmylastname#gmail.com
No, it's not a major impediment but if I don't get this right it will drive me crazy. How, do I generate with rsa keys with an email username of my choice?
Use the -C option to provide a new comment with your key.
Explanation: In general, the last string in your ssh public key would be a single comment which in default configured to your user#host. You can override this comment by adding -C argument and edit this string.
For example In default behaviour, lets say that - if your linux hostname is Ubuntu and your user name is john.doe while you watch your public key performing cat ~/.ssh/id_rsa.pub you would see something like this:
ssh-rsa <someReallyBigToken>== john.doe#ubuntu
Documentation:
ssh-keygen will by default write keys in an OpenSSH-specific format.
This format is preferred as it offers better protection for keys at
rest as well as allowing storage of key
comments within the private key file itself. The key comment may be useful to help identify the key. The comment is initialized to
``user#host'' when the key is created, but
can be changed using the -c option.
Solution: override this comment and use -C argument for comment.
ssh-keygen -t rsa -b 4096 -C message-in-a-bottle
cat ~/.ssh/id_rsa.pub
// output:
ssh-rsa <someReallyBigToken>== message-in-a-bottle
ssh-keygen -t rsa -f ~/.ssh/[KEY_FILENAME] -C [USERNAME]
I use this command for generating the SSH key for generating GitHub, GitLab, and GCP.
Here is the documentation for creating an SSH key with a username.