Issue
There is a nice essay that says the stock "ssh-keygen" creates an older, easier to crack private key, and that PKCS#8 is the way to go.
So, instead of the stock ssh-keygen approach, I want to use a new "ssh-pkcs8-gen" approach.... (not for me, for the git users who hang off my git server).
Everything I have seen discusses taking the ASN.1 output from ssh-keygen and converting it to PKCS#8 This is a lot of steps, and I don't want to make life impossible for my users.
How can I directly, in one step, create a PKCS#8 private key with openssl.exe (or similar tool commonly distributed with Git.... I believe openssl can do it)
Solution
The article "Improving the security of your SSH private key files" from Martin Kleppmann describes:
- how to generate a classic RSA passphrase-protected key
- how to convert if to PKCS#8 (Public-Key Cryptography Standards (PKCS) #8)
So maybe chaining the two operations together in a script would result in the right key generated in ne step:
ssh-keygen -t rsa -N 'super secret passphrase' -f test_rsa_key
mv test_rsa_key test_rsa_key.old
openssl pkcs8 -topk8 -v2 des3 \
-in test_rsa_key.old -passin 'pass:super secret passphrase' \
-out test_rsa_key -passout 'pass:super secret passphrase'
Answered By - VonC Answer Checked By - Dawn Plyler (WPSolving Volunteer)