Check public/private RSA keypairs

Guus Sliepen guus at tinc-vpn.org
Wed Mar 17 20:40:19 CET 2010


On Wed, Mar 17, 2010 at 02:38:37PM +0100, Claus Strasburger wrote:

> i have a tinc vpn running on several local networks as well as on
> clients and am writing on a little "zeroconfig" tool to add new (newbie)
> clients to the net without having to vnc to them for ages.
> To do this easier, i wanted to have a possibility to check somehow if
> the public key stored on the server mathes the provate key on the
> client, or if it needs to be regenerated.

Why not check the public key stored on the server against the public key on the
client?

> Now i figured i can output the public key to a private one by using
> openssl rsa -in rsa_key.priv -pubout
> this one will print out a public key in the same format as the public
> key stored in the hosts file, i tested it with some clients, and every
> private key will generate a pubkey different to the one in the hostfile,
> but each of these clients do work in my vpn, so the public/private
> keypairs must match.
> A second command i found by googling
> ssh-keygen -y -f rsa_key.priv
> will output something that ist totally different to the original.

The problem is that the OpenSSL library has two ways to store a public key. You
can see the difference in the header already, tinc's host config files will
contain "BEGIN RSA PUBLIC KEY", while the openssl tool will output something
that contains "BEGIN PUBLIC KEY" (note the missing "RSA"). Also, these blobs
not only contain the public key, they contain additional information, some of
which is not used. SSH uses yet another format. So, they all contain the same
public key, but the representations are different.

Actually, tinc will also happily use RSA keys generated in the format used by
the openssl tool. So instead of using tincd -K you can use openssl genrsa to
create an rsa_key.priv file, and openssl rsa to convert it to a public key for
in the host config file.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100317/0ea731ab/attachment.pgp>


More information about the tinc mailing list