Fix Filezilla import SSH key problem

I'm always surprized how long users can suffer from IT problem before asking for help. One employee of my company told me that it has problem with a ssh key. It uses its key to copy with scp and it works. But he cannot use Filezilla. Filezilla refuses the key without any warning. I try to use Filezilla with a newly-generated key and I successfully connect to a test server. So the problem comes from the key. Let's have a look to the keys. Both keys looks correct and contains correct header and footer:

-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----

But openssl failed to check to suspicious key:

% openssl rsa -check -in suspiciouskey_id                               
RSA key ok
140634506504080:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1199:
140634506504080:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:767:
140634506504080:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:699:Field=n, Type=RSA
140634506504080:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:121:

A deeper inspection show that the key contains extra data:

% openssl asn1parse < suspiciouskey_id 
    0:d=0  hl=4 l=1214 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=2 l=  13 cons: SEQUENCE          
    9:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   20:d=2  hl=2 l=   0 prim: NULL              
   22:d=1  hl=4 l=1192 prim: OCTET STRING      [HEX DUMP]:..

A normal key looks like:

  openssl asn1parse < good_id 
    0:d=0  hl=4 l=1189 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=4 l= 257 prim: INTEGER           :XXXYYYYY
  268:d=1  hl=2 l=   3 prim: INTEGER           :010001
  273:d=1  hl=4 l= 256 prim: INTEGER           :XXXXXYYY

In fact, this is not a simple key as you can generate with ssh-keygen. This key contains extra information because it's a PKCS#8. By default, ssh-keygen generates a PKCS#1. So I try to convert the key:

openssl rsa -in suspiciouskey -out newkey

It works!!! Why the original key was in PKCS#8 format? Did the sysadmin use the ssh-keygen switch -m PKCS8? SCP is probably smart enough to extract the key from PKCS#8 but Filezilla can't (at least with 3.42.1)

By @Romain JACQUET in [ sysadmin ] ven. 24 mai 2019
Tags :