Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-07-2013, 04:12 AM
AlexT AlexT is offline
Registered User
 
Join Date: Mar 2007
Posts: 16
Allow SSH keys to be of type ECDSA (rather than only RSA and DSA)

RFC 5656 defines elliptic-curve (ECDSA) key formats (host and user) for use with SSH-2, and associated ECDH key exchange methods. OpenSSH has supported these since 5.7. Most government agencies (USA, Russia, France, et al) have already switched from RSA/DSA to ECDSA.

SecureCRT does not currently support these ("Unknown file format"). That's unfortunate since it prevents users from exclusively switching to the more secure key format.

See here for more:

http://www.technologyreview.com/news...curity-crisis/
Reply With Quote
  #2  
Old 08-07-2013, 07:50 AM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Thanks for the information AlexT.

I have created a feature request in our SecureCRT enhancement database to add support for RFC 5656. Should we add support for this in the future, we will post to this forum thread.

If you would like to be notified directly, please complete and submit the form at the following location:
Submit Feature Request
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #3  
Old 11-24-2013, 08:24 AM
mdella's Avatar
mdella mdella is offline
Registered User
 
Join Date: Mar 2004
Location: Scotts Valley, CA
Posts: 44
ECDSA Implementation....

We are moving to new 521bit keys under this method (funny, you'd think 512 would have been the number :-)) but have now required that we build "jump boxes" into semi secure areas to get to our secure machines since SecureCRT does not yet support the ECDSA protocol.

Just curious, I noticed you said you were putting it under feature requests, but I was wondering if there was an estimated timeline to doing this? I'm asking as we are putting in timelines to switching our secure desktops to something other than SecureCRT and quite honestly its easier to go with the status quo if it will (within our timelines) support where we are going with encryption.

Thanks!
__________________
Marcos Della
Data Center Cloud Architect
Nutanix

PGP Fingerprint: BDC7 AFFD E94F FA09 C839 9153 F5FF E128 3094 2B9E
Key ID: 0x30942B9E

Last edited by mdella; 11-24-2013 at 08:30 AM.
Reply With Quote
  #4  
Old 11-25-2013, 10:00 AM
Maureen's Avatar
Maureen Maureen is offline
VanDyke Product Director
 
Join Date: Feb 2004
Location: Albuquerque, NM
Posts: 1,612
Thanks for following up on this. Due to export restrictions, we are required to submit a request to the Federal Government before this support can be added to our products. At this time, we don't t know how long this process will take. We hope that the process will go quickly enough so that support for RFC 5656 can be added to the next version of SecureCRT. What is your timeline for switching your desktops?

Maureen
Reply With Quote
  #5  
Old 11-26-2013, 08:12 AM
mdella's Avatar
mdella mdella is offline
Registered User
 
Join Date: Mar 2004
Location: Scotts Valley, CA
Posts: 44
Switching our public connection policy...

Well, first a couple things... I'm only speaking for the HP Web Services group. As you know, HP is rather large and everyone is going their own different ways so its not like its a huge group you're speaking to (although us and HPCS seem to be on the forefront of much of HPs public internet directions).

As far as when, we are in the process of hand recompiling openssl and openssh to allow for ECDSA keys. Its a multistage process as we have to get the correct software on all linux boxes to begin with (meaning at this point, we have to build our own RPMs for RedHat/CentOS 6.4) then work on the key distribution system. So its a multi-month project, but just like development on your side, everything takes time :-)

I'm just trying to see if by the time we get to the end of our project, what "desktop" clients out there will be supporting our changes. Additionally something you mentioned had me a little worried as I have gone through the same process you're mentioning elsewhere. If you have to apply to the Feds for the usage of EC, then are you going to allow the use of another application to generate the keys? One of our issues is what influence is allowed in the key generation process.

So to summarize:

1. We have quite a bit of time before moving to EC (months, not weeks)
2. We have concerns of "where" EC 521-bit keys are generated and are more interested in applications that will import our keys
3. Isolation testing takes a couple weeks where we look at (from outside the program) what is being done with the keys imported

Marcos

P.S. Normally we'd prefer something where we can look at the code to see whats going on, but for 95% of our users, your application is much more user friendly and not as concerning for the security aspects. Its the 5% of our operations population thats going to have to go to a code-vetted method of connection because of what they can connect to on the other side.
__________________
Marcos Della
Data Center Cloud Architect
Nutanix

PGP Fingerprint: BDC7 AFFD E94F FA09 C839 9153 F5FF E128 3094 2B9E
Key ID: 0x30942B9E
Reply With Quote
  #6  
Old 05-19-2015, 04:36 PM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi All,

This post is to announce that SecureCRT/FX 7.3.3 and VShell 4.1 all support RFC 5656 (ECDSA and ECDH).
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #7  
Old 06-04-2015, 07:53 AM
garibaldi0 garibaldi0 is offline
Registered User
 
Join Date: May 2010
Posts: 5
Thanks for adding the ECDSA support!!!

On the Mac version I'm getting the following error trying to add the ECDSA key to the agent:

Adding a key to the agent failed: Agent operation failed.

This works fine on the PC version.
Reply With Quote
  #8  
Old 06-04-2015, 08:53 AM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi garibaldi0,

Thanks for the report. We are investigating this behavior. We will post to this thread when we have more information about the behavior that you are seeing. I have been able to reproduce the behavior as well.

If you would like to be notified directly, please complete and submit the form at the following location:
Submit Bug Report
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #9  
Old 07-17-2015, 04:41 PM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi garibaldi0, All,

SecureCRT on Mac OS X uses the OpenSSH agent included with the OS by Apple. You should contact Apple about adding OpenSSH agent support for ECDSA keys.
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 01:32 AM.