UI copy/export behavior of SSH keys generated by 1P8

signe
signe
Community Member
edited February 2023 in SSH

I've been testing out the SSH Agent functionality built into 1P8, and this was something I ran across today when attempting to use SSH keys generated by 1P8.

(This is a bogus key, created just for this post)

If you click on the Private Key to copy it (e.g., to paste it into a file on a remote host), you end up with a key in this format that does not follow RFC4716 and is not usable by OpenSSH. At first glance, it appears to be PEM format, but attempting to convert from PEM fails (see below).

-----BEGIN PRIVATE KEY-----
MFMCAQEwBQYDK2VwBCIEIMZ0cI9G+jyUB1i/2L17theJdVj3F+w+Xg9JunCyb0SN
oSMDIQB9MEvJCx15KcncldXIqHdNbWcr8l6zmfFuDQJxRO0+JA==
-----END PRIVATE KEY-----

However if you click the down arrow and choose Download you end up with a key that is usable by OpenSSH:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDdFnR7fMC7OdO4L/wLfY8k/nooV8et6RA5/84ikZtingAAAIg/6vA3P+rw
NwAAAAtzc2gtZWQyNTUxOQAAACDdFnR7fMC7OdO4L/wLfY8k/nooV8et6RA5/84ikZting
AAAEDAxt6+dY8QtiQGI5+DJfQ0MTliA6N5iRomikSoulEcrt0WdHt8wLs507gv/At9jyT+
eihXx63pEDn/ziKRm2KeAAAAAAECAwQF
-----END OPENSSH PRIVATE KEY-----

This difference in behavior is not documented nor expected by a user, as it's not an intuitive difference. Since I wasn't examining the contents of the key closely, my first attempts to use it after pasting it to the remote all failed because the key was in an invalid format (for openssh).

Attempting to use ssh-keygen to convert the private key into a usable format all fail:

$ cat id_ed25519
  -----BEGIN PRIVATE KEY-----
  MFMCAQEwBQYDK2VwBCIEIMZ0cI9G+jyUB1i/2L17theJdVj3F+w+Xg9JunCyb0SN
  oSMDIQB9MEvJCx15KcncldXIqHdNbWcr8l6zmfFuDQJxRO0+JA==
  -----END PRIVATE KEY-----
$ ssh-keygen -f id_ed25519 -i -m pem
do_convert_from_pem: unrecognised raw private key format
$ ssh-keygen -f id_ed25519 -i -m pkcs8
do_convert_from_pkcs8: id_ed25519 is not a recognised public key format
$ ssh-keygen -f id_ed25519 -i -m rfc4716
do_convert_from_ssh2: parse key: invalid format
$ ssh-keygen -f id_ed25519 -i
do_convert_from_ssh2: parse key: invalid format
$

1Password Version: 80900001
Extension Version: n/a
OS Version: macOS 13
Browser:_ n/a

Comments

  • pauljohnsonddl
    pauljohnsonddl
    Community Member

    Found an answer at https://security.stackexchange.com/a/267767/288895, basically:

    Install sshpk: npm install -g sshpk
    Convert key: op item get --fields='label=private key' --format json 'My Key' | jq -r '.value' | sshpk-conv -t ssh -p

  • signe
    signe
    Community Member

    Thanks, but this wasn't a request for assistance... just a bug report. You can already export a properly formatted key using the Download button, so there's no need for someone to install node and then an unknown node app in order to convert file formats. That's not a reasonable thing to expect a user to do.

  • floris_1P
    floris_1P

    The Copy/Download actions have been replaced with a single Export action and accompanying modal, which lets you also encrypt it with a passphrase.

  • pitimaou
    pitimaou
    Community Member

    Hey fam, any plan to have this supported on the CLI client as well?

  • Jack.P_1P
    Jack.P_1P

    Hi @pitimaou:

    Nothing to share just yet, but thanks for your feedback!

    Jack

    ref: dev/b5/op#2282

This discussion has been closed.