There may not be a way to do this with the OpenSSH tools alone.
But it can be done quite easily with the OpenSSL tools. In fact, there are at least two ways to do it. In the examples below, ~/.ssh/id_rsa
is your private key.
One way is using dgst:
openssl dgst -sign ~/.ssh/id_rsa some-file
The other is using pkeyutl:
openssl pkeyutl -sign -inkey ~/.ssh/id_rsa -in some-file
Both of these write a binary signature to standard output. dgst takes a -hex
option will print a textual representation, with some details about the form of the signature. pkeyutl takes a -hexdump
option which is a bit less useful. Both will accept both RSA and DSA keys. I have no idea what the format of the output is. The two commands produce different formats. I get the impression that pkeyutl is considered more modern than dgst.
To verify those signatures:
openssl dgst -verify $PUBLIC_KEY_FILE -signature signature-file some-file
and:
openssl pkeyutl -verify -inkey $PUBLIC_KEY_FILE -sigfile signature-file -in some-file
The problem here is $PUBLIC_KEY_FILE
. OpenSSL can't read OpenSSH's public key format, so you can't just use id_rsa.pub
. You have a few options, none ideal.
If you have a version of OpenSSH of 5.6 or later, you can apparently do this:
ssh-keygen -e -f ~/.ssh/id_rsa.pub -m pem
Which will write the public key to standard output in PEM format, which OpenSSL can read.
If you have the private key, and it's an RSA key, then you can extract the public key from it (I assume the PEM-encoded private key file includes a copy of the public key, since it is not possible to derive the public key from the private key itself), and use that:
openssl rsa -in ~/.ssh/id_rsa -pubout
I don't know if there's a DSA equivalent. Note that this approach requires some cooperation from the owner of the private key, who will have to extract the public key and send it to the would-be verifier.
Lastly, you can use a Python program written by a chap called Lars to convert the public key from OpenSSH to OpenSSL format.
Doesn't OpenSSH use Ed25519 as the dat protocol? Seems just a matter of tools.
– Pablo A – 2018-03-15T03:22:57.717