[solved] SFTP: Export public key?

[chconnor]

Hi -- I use the SFTP plugin to connect via scp to my linux machine (openssh-server). Works great, but I have to enter my password every time.

I don't want TC to save my password, so I would like to add the public key the phone is using to ~/.ssh/authorized_keys.

Is there some way to export the phone's public key from Total Commander?

It looks like TC is using SFTP version 2.7 -- I don't know if there is any way to force it to upgrade to the latest, or if I am at the mercy of the app store?

Thanks!

[ghisler(Author)]

Normally it works this way:
- you create a pair of private and public key
- put the public key on the server
- put the private key on the client

[chconnor]

Thanks! -- I can generate the key pair on my server, but I need to get both keys into .pem format for TC to use, correct?

An scp/ssh/sftp client needs to have the public and private key to function, right? [edit: nope, see below]

I can't seem to find instructions to convert the id_rsa (and id_rsa.pub?) files into .pem for TC. Any tips on that? Some people say the id_rsa can just be renamed to .pem, others say that openssl uses a different format.

Thanks again.

[chconnor]

I have tried:

ssh-****** -f id_rsa -e -m pem > id_rsa.pem

...I provided that .pem to TC but when the connection is attempted it says

"SSHException: No provider available for Unknown key file"

Edit: I don't know why the board is switching "k e y g e n" with asterices: ******

[ghisler(Author)]

Try generating a key pair using a newer, more secure method, the basic RSA may no longer be supported by the server. Use switch -t to specify the method, e.g.
-t ed25519

[chconnor]

Ah thanks, I forgot that rsa is no longer accepted. ssh-kėygen apparently can't convert ed25519 to pem ("do_convert_to_pem: unsupported key type ED25519"), so I tried this:

Code: Select all

ssh-kėygen -t ecdsa -b 521

(This makes a ecdsa-sha2-nistp521 keypair, which is also listed on my server via "ssh -Q PubkeyAcceptedAlgorithms". I also tried a -b 256 version with the same result.)

Then I make the .pem and authorize the public key:

Code: Select all

ssh-kėygen -f id_ecdsa -e -m pem > id_ecdsa.pem
cat id_ecdsa.pub >> ~/.ssh/authorized_keys

...then I move id_ecdsa.pem to the phone, make a new connection entry that points to the .pem file, and try again. Same result... does not work.

But here is the strange part: on the server side, I enable DEBUG3 for sshd. It shows:

sshd[262552]: debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]

...which seems to imply that it's still trying to connect with an rsa key for some reason? It says "ssh-rsa key not permitted" no matter what .pem I'm trying to use: ecdsa, etc. Maybe the .pem files aren't correct so TC is falling back to a default key or something?

[Dalai]

Did you delete the old RSA keys, i.e. its files and from authorized_keys? If not, the SSH might still use that key instead of the ECDSA key.

Regards
Dalai

[chconnor]

Thanks! - you mean on the phone? I just tried deleting all the .pem files that weren't being used -- that didn't change anything.

(On the server side, authorized_keys only has the ecdsa key in it (besides the other authorized keys that have nothing to do with this).)

[Dalai]

Please check the headers of the PEM files you created. It looks like the command you used exports only the public key to the PEM file, but you need the private key in there. I think your id_ecdsa file already is Base64 encoded (which PEM basically means) and has a header saying something like BEGIN ECDSA PRIVATE KEY.

Regards
Dalai

[chconnor]

Thank you Dalai -- the ssh-kėygen command I used creates id_ecdsa and id_ecdsa.pub, the latter of which is the public key. So the command I use encodes the private key (or is intended to, anyway) into .pem, and then I append the public key (id_ecdsa.pub) to the server's authorized_keys file (to allow scp/etc without password).

The private key (id_ecdsa) starts with:

-----BEGIN OPENSSH PRIVATE KEY-----

When I use the "ssh-kėygen -f id_ecdsa -e -m pem > id_ecdsa.pem" command, which I thought was supposed to make a pem from id_ecdsa (the private key) it creates the .pem but it starts with "-----BEGIN PUBLIC KEY-----" which seems to show that something is going wrong... ?

[Dalai]

Yes, I meant the second command you used to export the key. And as I suspected, it only contains the public key. I'd just try it with the id_ecdsa file renamed to .pem. No idea if this specific SFTP plugin can use such a key (the Windows version cannot).

Regards
Dalai

[chconnor]

What I'm confused about is that I'm feeding the command only the private key (id_ecdsa). Even if I delete the public key (id_ecdsa.pub) it still generates a .pem that starts with "PUBLIC KEY".

At any rate -- it worked! I just copied id_ecdsa to id_ecdsa.pem and used that -- all good. Thanks for the help!

[Dalai]

AFAIK a public key can be extracted (or maybe generated?) from a private key at any time, but not the other way around (obviously).

Regards
Dalai