Revision $Id: openssl-convert-ssl-key-to-ssh-keypair.base,v 1.3 2005/07/30 06:31:56 klm Exp $ Purpose This recipe demonstrates how to convert an OpenSSL key to a public/private OpenSSH key-pair. Motivation The motivation for this recipe is simple -- dual use. That is to say, any user or application that has been issued a certificate can now use their SSL-based credentials for both SSL- and SSH-based authentication. Requirements You'll need a valid certificate and private key -- actually only the key is required. This recipe assumes that your certificate and key will have the names user-crt.pem and user-key.pem, respectively. If your key is encrypted (which it should be), you'll also need to have it's passphrase handy. You'll need a shell account on a system that supports OpenSSH logins using public/private key authentication. Time to Implement Assuming that you have satisfied all the requirements/prerequisites, this recipe should take less than 15 minutes to implement. Solution The solution is to extract the public key from the private key using ssh-keygen, copy the new key-pair into place, and test them out. 1. Copy the private SSL key to ~/.ssh/id_ssl. $ cp user-key.pem ~/.ssh/id_ssl $ chmod 600 ~/.ssh/id_ssl 2. Extract the public SSH key using ssh-keygen. $ ssh-keygen -y -f ~/.ssh/id_ssl > ~/.ssh/id_ssl.pub $ chmod 600 ~/.ssh/id_ssl.pub 3. Add the public key to your authorized_keys file on the system you intend to use for testing. This recipe assumes that you're using localhost. $ cat ~/.ssh/id_ssl.pub >> ~/.ssh/authorized_keys 4. Test the new key by attempting to SSH to localhost. $ ssh -i ~/.ssh/id_ssl localhost At this point, you'll need to enter your passphrase (assuming you had one), and if all goes well, you'll be sitting at a new shell prompt. 5. Remove the test key from your authorized_keys file. Closing Remarks In theory, a single certificate and key issued to an employee would be sufficient to access all participating SSL- and SSH-based resources in a given environment (or perhaps the entire company). Credits This recipe was brought to you by Klayton Monroe. References openssl(1), ssh-keygen(1)