creating RSA key with openssh_keypair

Archives Ansible Project
1

Hi,

When I try to create ssh keypairs with the module ansible.builtin.openssh_keypair , a new key pair is generated as expected.

$ cat test_key1.yml

2

Hi,

However the public-key is showing the caption as ssh-rsa .. and the
private key is displaying the label as "-----BEGIN OPENSSH PRIVATE
KEY----- and -----END OPENSSH PRIVATE KEY-----"

I am looking to create an rsa key-pairs with 2048b , something we
used to create with the command ssh-keygen -t rsa -b 2048
The private key must begin with "-----BEGIN RSA PRIVATE KEY-----" and
ends with "-----END RSA PRIVATE KEY-----"

Could you please elaborate why it **must** start with "-----BEGIN RSA
PRIVATE KEY-----"? Does your SSH version not accept "-----BEGIN OPENSSH
PRIVATE KEY-----"?

In any case, I would suggest to look at the private_key_format option
of the module.

All the best,
Felix

3

Yes , We need a RSA format PEM key which is compatible with the application .
Whenever a OPENSSH PRIVATE Key generated with the playbook is used for authentication , login to the application is working but its not functioning 100% as expected .
When a RSA format PEM or id_rsa key ( ssh-keygen -t rsa -b 2048) is used then login and functioning of the application is working fine. (vendor recommended RSA format SSH key)

4

In what way is it “not functioning 100% as expected”?

5

Add the following parameters to your task:

backend: cryptography
private_key_format: pkcs1

Looking at the docs, this means that your application depends on OpenSSH < 7.8, because only those versions created PKCS1 private key files (the ones with “BEGIN RSA…”).
See https://superuser.com/questions/1720991/ for an interesting read on some historical background and rationale.
After reading that you may want to ask questions to your vendor, for example why their application insists on a legacy, less secure format (although the latter only applies to encrypted keys, which you don’t seem to be generating).

If it is a key for ssh, then they might also be using specific fields from the ASN.1 structure. This is possible, but then it’s not just an ssh key anymore.

Dick