Bad characters when exporting SSH private key via CLI
I'm trying to export an SSH private key from 1password to my file system using
op read op://{vault id}/{item id}/private_key > id_25519
I'm using a Windows 11 machine, but working inside a WSL2 environment. op
is /mnt/c/Program Files/1Password CLI/op.exe
(so Windows CLI running from Linux).
The issue is that the output of 1password has invalid characters that causes an "error in libcrypto" when using the key.
This can be seen with
op read op://{vault id}/{item id}/private_key | vim -
-----BEGIN OPENSSH PRIVATE KEY-----^M .....^M .....^M .....^M .....^M ...==^M -----END OPENSSH PRIVATE KEY-----^M ^@^@^@^@^@ ~ ~ ~
I can understand the ^M
part (that is "\r") since op
is the Windows version (even if I would rather have only "\n" as line endings in this case), but the ^@
at the end are null bytes that I can't explain.
Currently I'm using as a workaround
op read op://{vault id}/{item id}/private_key | tr -dc '[:alnum:]+/=\n -'
Is there a cleaner way to fix this?
For information, op is version 2.21.0 (up to date).
Thanks
1Password Version: 8.10.18 (beta)
Extension Version: n/a
OS Version: Windows
Browser: n/a
Comments
-
I'm experiencing the same problem. I'm on macOS and
op read "op://{vault id}/{item id}/private_key?ssh-format=openssh" | cat -v
returns
-----BEGIN OPENSSH PRIVATE KEY-----^M b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACD1k9TWjiuIc6pmN3DBq71RGwEUIoOkDjsYJOm+7uKY6QAAAKgU9furFPX7 qwAAAAtzc2gtZWQyNTUxOQAAACD1k9TWjiuIc6pmN3DBq71RGwEUIoOkDjsYJOm+7uKY6Q AAAEAOwWmP1G07Xg4XVF7hYJkR8IyeEYo83lJdZwctVRrGFPWT1NaOK4hzqmY3cMGrvVEb ARQig6QOOxgk6b7u4pjpAAAAIUJhcnRlayBQYWNpYSA8YmFycGFjMDJAZ21haWwuY29tPg ECAwQ=^M -----END OPENSSH PRIVATE KEY-----^M
(this is a temporary key I only generated for purpose of this comment).
Trying to
ssh-add
this key results in either "Error loading key "id_ed25519_git_hosting": invalid format" (on Raspberry Pi withOpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1, OpenSSL 1.1.1n
) orerror in libcrypto" (on
OpenSSH_9.3p1 Ubuntu-1ubuntu3, OpenSSL 3.0.10 1 Aug 2023`).A workaround I found to remove those
^M
s is to usedos2unix
:op read "op://{vault id}/{item id}/private_key?ssh-format=openssh" | dos2unix | cat -v
returns:
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACD1k9TWjiuIc6pmN3DBq71RGwEUIoOkDjsYJOm+7uKY6QAAAKgU9furFPX7 qwAAAAtzc2gtZWQyNTUxOQAAACD1k9TWjiuIc6pmN3DBq71RGwEUIoOkDjsYJOm+7uKY6Q AAAEAOwWmP1G07Xg4XVF7hYJkR8IyeEYo83lJdZwctVRrGFPWT1NaOK4hzqmY3cMGrvVEb ARQig6QOOxgk6b7u4pjpAAAAIUJhcnRlayBQYWNpYSA8YmFycGFjMDJAZ21haWwuY29tPg ECAwQ=^M -----END OPENSSH PRIVATE KEY-----
0 -
This issue also occurs in the following scenario.
Generate the SSH Key using the browser extension ( Chrome, Windows 10 ). For example, this can be done when adding a key to Bitbucket in the browser. The extension will automatically suggest creating an SSH Key, even though you can't create one directly through the browser extension ( requires 1Password 8 ). Note that the name of the item can't be edited which is inconvenient. It can be edited later in the desktop app.
Next, from a linux (Ubuntu) box with
op
installed withapt
, execute any ofop run
,op read
,op inject
. Surprisingly, a carriage return (\r
,^M
) is included on some lines, making it unusable without further processing.Is this due to creating the key from a Windows browser?
Can
op
detect the OS it is running on and reconstruct the key with the appropriate line endings?Stripping carriage returns downstream of
op
is inconvenient.Thanks!!!
0