Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Jan 2013 21:38:58 +0530
From: Dhiru Kholia <>
Subject: Re: Formats ssh and ssh-ng

On Thu, Jan 24, 2013 at 8:50 PM, Frank Dittrich
<> wrote:
> I think ssh and/or ssh-ng formats need at least some documentation, but
> preferably even some code changes.

Good point. I can quickly write a "README.ssh" file explaining the
usage of and the difference between these two formats.

> $ ./ id_rsa > sshng-test
> (BTW: I had to install python-crypto on Fedora 18 to make the script work.)

Can you please test the following patch to see if it makes things better?

diff --git a/run/ b/run/
index 12a6f60..b08a85e 100755
--- a/run/
+++ b/run/
@@ -31,10 +31,16 @@ from hashlib import md5 as MD5

 limited = False

+class Object(object):
+    pass
-    from Crypto.Cipher import DES3, AES
+    from Crypto.Cipher import DES3, AES1
 except ImportError:
     print >> sys.stderr, "PyCrypto is missing in your Python
installation, %s is operating is limited features mode!" % sys.argv[0]
+    AES = Object()
+    AES.MODE_CBC = ""
     limited = True

@@ -639,7 +645,8 @@ class PKey (object):

         if 'proc-type' not in headers:
             # unencryped: done
-            return data
+            print >> sys.stderr, "%s has no password!" %
+            return None
         # encrypted keyfile: will need a password
         if headers['proc-type'] != '4,ENCRYPTED':
             raise SSHException('Unknown private key structure "%s"' %
@@ -674,7 +681,7 @@ class PKey (object):
                 return ddata
             except ValueError:  # incorrect password
                 return data
-        return None
+        return self.hash  # dummy value

 def chunks(l, n):
@@ -717,6 +724,8 @@ class RSADSSKey (PKey):
     def _from_private_key_file(self, filename, password):
         data = self._read_private_key_file('RSA', filename, password)

+        if not data:
+            return
         if limited:
             print self.hash

> Apparently, both formats are able to crack the same input file after
> converting it using the right tool. But ssh-ng is much faster.

Yes, ssh-ng is fast :-)

> Why does ssh-ng have the "False positives possible" flag set?

ssh-ng does partial decryption and partial ASN decoding, hence it can
have false positives.

> If ssh can avoid false positives, ssh-ng should be able to avoid false
> positives as well, no?

You are right. We can have a 100% solid verification check in ssh-ng
format as well (and then remove FMT_NOT_EXACT from ssh-ng format).

> This:
> $ ls -l ssh*test
> -rw-rw-r--. 1 fd fd 2425 Jan 24 15:51 sshng-test
> -rw-rw-r--. 1 fd fd 3505 Jan 24 15:51 ssh-test
> doesn't look like ssh2john is extracting less information from the
> keyfile than sshng2john is.
> So, shouldn't ssh-ng be able to "understand" and convert $ssh2$ hashes?
> What about ssh understanding the $sshng$ hashes?

IMO, we only care about ssh-ng being able to "understand" old-style
$ssh2$ hashes. Yes, this is possible and at some point I might have
promised Solar to implement such a feature ;)

> Why do we even need two different tags?
> Why different format names?

ssh format is well tested and been proven to work whereas ssh-ng is
highly experimental (but faster). So both formats currently co-exist.

> Can't ssh-ng report "SSH RSA / DSA" instead of "ssh-ng SSH RSA / DSA"?
> This would allow to pick the fastest of several benchmarks for
> performance comparison in relbench.
> (Of course, the format name should only be changed if both formats
> understand the same canonical hash representation and if ssh-ng doesn't
> produce false positives.)

ssh-ng *might* produce false positives (but it hasn't so far!) and
making ssh-ng understand old-style hashes requires more work (i.e.
patches welcome).

Hence, for now, it is better to treat them as separate formats.

> What am I missing here?

I hope that I have answered your questions. Thanks for the feedback.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.