7

The title basically says it all. But mind: host key, not the login key.

And if they're not compatible out of the box, is there a way to convert between them - and what would be the steps in that case?

Rationale: it would be nice to be able to bring up a dropbear instance in the scope of the initrd, if boot fails, but do so by incorporating the host keys (via initramfs-tools hooks) from OpenSSH that is normally installed on the host.

Hauke Laging
  • 88,146
  • 18
  • 125
  • 174
0xC0000022L
  • 16,189
  • 24
  • 102
  • 168

1 Answers1

8

After the misunderstanding that I am referring to host keys instead of login keys, I decided to dig into this a little myself. The main point was to establish whether the formats are compatible, not whether they're different (I knew they are).

Trying to install dropbear over a system that already had OpenSSH of course failed miserably, but this wasn't the point of the exercise. During the installation (and before the failure) the output said:

Converting existing OpenSSH RSA host key to Dropbear format.

So a quick apt-get source dropbear and grep-ing inside the debian subfolder yielded:

dropbear.postinst:    echo "Converting existing OpenSSH RSA host key to Dropbear format."

Promising. The relevant lines in the dropbear.postinst script read:

echo "Converting existing OpenSSH RSA host key to Dropbear format."
/usr/lib/dropbear/dropbearconvert openssh dropbear \
  /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key

Apparently dropbear comes with a tool named dropbearconvert, which has a .c source file in the source and comes with a man page: dropbearconvert(1). Because I was unable to come up with an online version of the man page, here the gist:

SYNOPSIS
       dropbearconvert input_type output_type input_file output_file

[...]

OPTIONS
       input type
              Either dropbear or openssh

       output type
              Either dropbear or openssh

       input file
              An existing Dropbear or OpenSSH private key file

       output file
              The path to write the converted private key file
0xC0000022L
  • 16,189
  • 24
  • 102
  • 168
  • Turns out it's silly and old-style to prepare by reading the documentation. Simply do it - fail - but see the indication that the conversion is possible in the output of the failed installation. Oh well ... I guess my old-fart-RTFM-first attitude doesn't work anymore :) – 0xC0000022L Jun 02 '14 at 13:35
  • 1
    Strange, my system has a man page for `dropbearconvert`, but doesn't seem to have the program in the path. I did `dpkg -L dropbear` and found it is installed under `/usr/lib/dropbear/dropbearconvert`. – Craig McQueen Jun 09 '15 at 05:46
  • 1
    I found [this man page](http://manpages.ubuntu.com/manpages/trusty/man1/dropbearconvert.1.html) from ubuntu – Zac Jul 26 '17 at 12:21
  • Did you actually have this work though? I get Error: Unrecognised key type for the rsa or any other private keys running as sudo – Jack Jul 21 '21 at 16:12
  • converting the private keys with ssh-keygen -m PEM -f /tmp/openssh.key first results in Error: File does not begin with OpenSSH key header – Jack Jul 21 '21 at 16:29
  • Dropbear can be compiled with all related commands in one binary. The other commands are accessed by creating a symlinks in the same way as busybox. To obtain the public key, use `dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key | grep -v 'Fingerprint: sha1!!\|Public key'` – 5p0ng3b0b Jun 22 '22 at 18:15
  • Note that `dropbearconvert` only implemented the new OpenSSH format (not the old legacy PEM Format) private key handling since "Dropbear 2022.82" (1 Apr 2022). Keys can now be read in OpenSSH format or the old PEM format. ED25519 support was broken before and has now been fixed also. DSS keys are still PEM format. See: https://github.com/mkj/dropbear/releases – moo Oct 13 '22 at 13:31