Unable to import: Unsupported SSH key

Options
Tertius3
Tertius3
Community Member
edited May 2022 in SSH

I'm unable to import a RSA key. The message is this:

It's a 2048 bit RSA key, generated a few years ago. It's valid for the Windows ssh client, as well as for Linux openssh.

The 1Password import first asks for the passphrase, I enter it, and the above message appears. The same message appears if I remove the passphrase and try to import the key without the passphrase. It will not ask for a passphrase in this case but display the error message right away.

So is there some constraint, some forbidden property with the key?

1Password Version: 80600026, im Kanal „BETA“
Extension Version: Not Provided
OS Version: Windows 10

Comments

  • XIII
    XIII
    Community Member
    Options

    On Slack they mentioned that the public exponent might be too small (less than 65537). They follow NIST recommendations.

    You can check with this command:

    openssl rsa -text -in id_rsa | grep publicExponent
  • Tertius3
    Tertius3
    Community Member
    Options

    The key shows 37. Then I guess I have to generate a secure key. Thanks!

    Suggestion for improvement: explain why an import failed. Just "invalid" or "unsupported" is not enough, otherwise its cause for confusion.

  • Lachy
    Lachy
    Community Member
    edited February 2022
    Options

    I have a similar issue. But when I enter the passphrase, I get:

    We were unable to decrypt your SSH key. Try a different passphrase or select a new SSH key.

    The key is encrypted using AES-128-CBC

    I verified the password and obtained the decrypted key by running

    $ openssl rsa -text -in id_rsa

    When I copy the decrypted private key to clipboard and import from there, I get the same error as OP about unsupported key type.

    The publicExponent for my key is also 37. It's a very old key of mine that was generated by PuTTY probably around 15+ years ago, and I mostly avoid using it where possible, so I should probably look at replacing it for the few remaining places where Ed25519 or ECDSA still aren't supported.

  • Tertius3
    Tertius3
    Community Member
    Options

    Yes, my key was also generated by puttygen from the putty package, some years ago, exported to openssh format.

    I created a new 4096 bit rsa key with puttygen, this was accepted by 1Password, so I assume puttygen has been updated since then.

    However, it seems state of the art are Ed25519 keys, so I will create that instead of RSA as replacement for my old key. According to what I read, these keys are supported since OpenSSH 6.5.
    RHEL 7 / CentOS 7 (that's what I run on my oldest machines) comes with OpenSSH 7.4, so Ed25519 is supported. Only in case someone still has legacy machines with RHEL 6 or older, only RSA is supported.

  • Vytautas
    Vytautas
    Community Member
    Options

    It seems all of my current keys are having the same issue, a better message would certainly help, even to actually say that the key is no longer considered secure and a new one should be generated.

    or even better allow import but mark it as weak (similar to what watchtower does to simple passwords)

  • K.J._1P
    K.J._1P
    Options

    Thanks for all of the feedback! Better error messages for import failures are a top priority for us.

    Allowing import and using watchtower to inform users seems is a really great suggestion!

This discussion has been closed.