`credulous save` complains if my SSH key is too short - Githubissues

realestate-com-au / credulous

AWS Credential management

MIT License

89 stars 15 forks source link

`credulous save` complains if my SSH key is too short #60

Closed mrowe closed 10 years ago

mrowe commented 10 years ago

 $ wc ~/.ssh/id_rsa
      15      21     887 /Users/mrowe/.ssh/id_rsa
 $ credulous save
ERROR: crypto/rsa: message too long for RSA public key size
Failed to source credentials

But it appears to save the credentials anyway:

$ credulous display
AWS_ACCESS_KEY_ID: xxxx
AWS_SECRET_ACCESS_KEY: xxxx

mrowe commented 10 years ago

Sorry, that last statement was incorrect:

$ credulous list
ERROR: No saved credentials found; please run 'credulous save' first
Failed to source credentials

nonspecialist commented 10 years ago

Can you paste in the fingerprint of your ~/.ssh/id_rsa please?

host$ ssh-keygen -f ~/.ssh/id_rsa -l

it'll show the key length. I suspect it might only be a 1024 bit key.

mrowe commented 10 years ago

I was hoping the char count for the file would give that away. ;-)

 $ ssh-keygen -l -f ~/.ssh/id_rsa
1024 6e:a5:ff:76:48:05:f6:fa:85:fc:b7:b6:4c:2b:70:1d  mrowe@mojain.com (RSA)

So yes, 1024 bits. FWIW it works fine when I use a 2048 bit RSA key.

nonspecialist commented 10 years ago

Yeah, that's what I thought ;)

PKCS#1 pads the message to the size of the modulus, which means we can actually only encrypt 117 bytes with a 1024-bit key.

To fix this, we will have to:

generate a random symmetric key of 117 bytes
encrypt the secret data using this random symmetric key
encrypt the random symmetric key using the RSA key

This is going to become more of a problem as people want to save more environment variables ...

The temporary workaround is to generate a longer key (4096-bit key can encrypt up to 501 bytes)

nonspecialist commented 10 years ago

key size is 32 bytes for AES256