Bug - op fails getting SSH key

alonz
alonz
Community Member
edited September 2023 in CLI

using 1password-cli v 2.20.0. on amazon linux 2023

op item get 'Demo SSH Key'
[ERROR] 2023/09/06 07:20:26 unsupported key type "RSA PRIVATE KEY" passed with the PEM

doing the same with version 2.12.0 and amazon linux 2, works

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Amazon LInux 2023
Browser: Not Provided

Comments

  • jamesdh
    jamesdh
    Community Member

    Also running into this. Uploaded a key using OP UI. Was able to retrieve it just fine using an older version of OP CLI (not sure what it was). Then I accidentally updated the OP CLI to 2.22.0 and now cannot retrieve it (or the public key field on it) with the same error as @alonz

  • andi.t_1P
    andi.t_1P

    Hi @jamesdh and @alonz. I tried reproducing this by importing RSA private keys both in PKCS8 and OpenSSH formats but with no success. I think it's important to find out what standard your problematic RSA key is following. How many bits does it have? On what date was it created approximately? In what format was it displayed (e.g. in its id_rsa file)?

  • alonz
    alonz
    Community Member

    Hi @andi.t_1P thank you for looking into it.
    I don't recall when or how this key was created possibly it was created by an older openSSH or I think it might have been created by Amazon as part of AWS EC2 deployment
    looking at such problematic keys I can see that it's 2048 bit and it is in the format of

    -----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

    I can confirm that newer keys that I create in the format of "-----BEGIN OPENSSH PRIVATE KEY-----" seem to work without an issue.

    with the above hint I was able to reproduce the issue using

    ssh-keygen -t rsa -b 2048 -m PEM -f <filename>

    which in turn leads to the following ERROR message when downloading it from OP using cli

    [ERROR] 2023/11/27 13:54:27 unsupported key type "RSA PRIVATE KEY" passed with the PEM
  • christopherdcunha
    christopherdcunha
    Community Member

    Hi @andi.t_1P

    Thanks for looking into this and sorry for pestering. Do you have status update for this bugfix?

    I believe @alonz has provided sufficient repro steps but, just in case, here is a RSA key in PEM format that fails:

    $ ssh-keygen -t rsa -N "" -b 2048 -m PEM -f test_private_key
$ cat test_private_key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA9srcpMIq1XRJjpiL5/5dWvexSo2BpE06NMK0d4dnjYPYviAZ
bu1eoQ7xc06ELCzzIEiEx9zlGUmeAhc+mh8P9l3M80ECaUKwoVd2canbDEviBTSM
RvXFCIvJblChnNcXfFtctzrV1iXelI4DERONeOl1rXilqYMDdSxktPfcbzEoOfPX
q1mYX0avHZ8mGeevRksrfbtWzYy5Rco+GT9IBm08pJhhpCl3p410+ZuJCkzF4gep
2t6dGr+++vjxxlmqQi3Ns4z4ul1xy8ngzR9RJXVKIaC0/BEa5anwORfgGcyf7983
GIANLOlhZie9h3MQG2/xUIx/ulCaLVBgI+gSvwIDAQABAoIBAQCZXJscr6SanPcQ
6+8VLdaprv63i5Qim/Mt0kj/dl99a4+HJr9nVY7Wm0ikFQjBwvUa/LW21ahwvHS6
a+N1NxReTxALojxzWQQWXxm1rI346Db+cRczCYt1shhsuyKTKn7nwoatPpyfxUy6
GD4DoJjrqHh+YljgLBA8AmhapSSQ20zpHq02efYFzuZ66gt90RAo0l5yjJPf976S
TnMO7BavLGtXFbzU/MXzJyraV7BA1/G6kxxFhgXed7+U5SEbpmMctB6Dw+aZ2uE3
e//rjKSBzexfRWzvkJ4vRJmA6K7CrayBAEmLgnFSF9253HVCg2LQgVORNRqgIDgt
AVfmBKdRAoGBAP+af4hIt/jejlI0xo49xNvSlIUum5VudwJTDR22R7vA+FzLLRlL
+Ja6Jh5WuK3rT5Sg1uzwfIiSIRLpTkAG3BkrTZ3p4f41kOVPLoQgG97HlE2ARK9b
eSqSwK3EYxd0vzRWqfPjccWhLJI2r5HcuTLoFHoymBeodEgUh7acB9NbAoGBAPcs
3WIfY83k79pnE5CoOTdvuZImks9cRWijVCfiIuXmhRBN4K3E9v33/qPn4H0bCk0c
TKRfEqr3Cl/npbQLM4BZcsduB34IuyFMDzcQU8r7kIN0oVRCAYS8JRvzlHBE0zFZ
VpZFQsygtmLhgqk3L9rWecz3dKCpDn4w6YTwLk9tAoGAeIOr5eIDe//TMsdXZvGQ
w+SBylmzWb1/t0TZRk0PfWL6tyXE2cyMJOUX2+4fnUD5gKZlL8ojrXDYz0XZcy7I
z8UvD2ma+HThIH04/Wr2OQ/4yKHVwKhsdLpExql13zVYgaDq+OcgWYIotbe7CBb9
6xapsQPx2hW+3c1wP5VJy0kCgYEA4ls6zi4y5w4+PUNiHnqAE22EgvxCPBWjFqVk
XzXvgZyuxPScymXzTzd6Ab5KziciMuW0pl7OqLSd0qBAFnafjm3b+BiiUeBLBr4x
vNp98giZGlmHmLLt0xG95jAWAw50XeATtH/vIZgYDsu4LaD1eTIqzvLa4nqPZC8E
25Jcxq0CgYEAwdMyqAnNX1wpimAj/6w03tFgjZ9MRc2m8aTTB0FfkTZ7XPnuW7Wm
tnIMFlqI1AH4Nn9Q2nolzDeej3zWSAKhLggGY9aG8aQdTnKAPj9G7N0sDs9LMaXl
/jw0ATNFg0O5NIJg/5yJKgRiAgUe3Xqz8ul9yccaWyrRpoEthjNjcFU=
-----END RSA PRIVATE KEY-----

    $ op --version
2.24.0

    $ op item get TEST_PRIVATE_KEY --vault **************** --format json --debug
2:57PM | DEBUG | Session delegation enabled
2:57PM | DEBUG | NM request: NmRequestAccounts
2:57PM | DEBUG | NM response: Success
2:57PM | DEBUG | NM request: NmRequestAccounts
2:57PM | DEBUG | NM response: Success
2:57PM | DEBUG | account not signed in, filter= latest_signin_user=
2:57PM | DEBUG | NM request: NmRequestAccounts
2:57PM | DEBUG | NM response: Success
2:57PM | DEBUG | NM request: NmRequestAuthorization
2:57PM | DEBUG | NM response: Success
2:57PM | DEBUG | NM request: NmRequestAccounts
2:57PM | DEBUG | NM response: Success
2:57PM | DEBUG | NM request: NmRequestDelegatedSession
2:57PM | DEBUG | NM response: Success
2:57PM | DEBUG | NM request: NmRequestAccounts
2:57PM | DEBUG | NM response: Success
2:57PM | DEBUG | InitDefaultCache: successfully initialized cache
2:57PM | DEBUG | EncryptedKeysets: Cache hit on keyset
2:57PM | DEBUG | AllVaults: cache hit on vault fszmyywuieol2pwod6ctaoqzeu
2:57PM | DEBUG | AllVaults: cache hit on vault 3wyxflecqldyyk6wdb7qplzpsq
2:57PM | DEBUG | AllVaults: cache hit on vault esx6pbashvset3zv7w63cph3qa
2:57PM | DEBUG | AllVaults: cache hit on vault 477oohfoxt6eaxxxmsh5sgundy
2:57PM | DEBUG | AllVaults: cache hit on vault tqunglsx7se7zfbsoxeugwrlqq
2:57PM | DEBUG | VaultItems: cache hit on vault items of vault 3wyxflecqldyyk6wdb7qplzpsq
2:57PM | DEBUG | VaultItems: cache hit on vault items of vault 3wyxflecqldyyk6wdb7qplzpsq
2:57PM | DEBUG | Item: VaultItems cache hit for vault 3wyxflecqldyyk6wdb7qplzpsq - validating staleness using item version
2:57PM | DEBUG | Item: cache hit on item njj22vq5cn3y2ktb4upmzwxrmi of vault 3wyxflecqldyyk6wdb7qplzpsq
[ERROR] 2024/02/22 14:57:09 unsupported key type "RSA PRIVATE KEY" passed with the PEM
  • andi.t_1P
    andi.t_1P

    I confirm I was able to reproduce this.

  • andi.t_1P
    andi.t_1P
    edited February 2024

    The problem is that the output of ssh-keygen -t rsa -N "" -b 2048 -m PEM -f test_private_key is a an older PEM block format called pkcs#1 (apparent from the header "BEGIN RSA PRIVATE KEY" as opposed to simply "BEGIN PRIVATE KEY"). 1Password internally supports pkcs#8 and openSSH.

    I created an internal issue for supporting your use case as well, but I make no promises as to when this will hit stable, although I don't expect a lot of CLI releases to pass without this being solved.

    In the meantime, as a workaround, you can consider generating an RSA key and storing it in pkcs8 pem format: ssh-keygen -m PKCS8 -t rsa before importing it into 1Password.

  • christopherdcunha
    christopherdcunha
    Community Member

    Thanks for looking into this promptly @andi.t_1P !

This discussion has been closed.