[Breaking] Drop support for RSA PKCS#1 PEM keys in favor of the OpenS…

…SH format. As described in the README, this library embraces OpenSSH format when possible. This drops support for the RSA PKCS#1 PEM ('RSA PRIVATE KEY') format which was supported because the library author was using this format for a key. If you are using a key in this format, it can be converted by running: ssh-keygen -p -f <key_file> The OpenSSH format has been supported in OpenSSH since 2014 and became the default format used by 'ssh-keygen' in 2018.
tmds · Dec 12, 2024 · 31b5c8f · 31b5c8f
1 parent 8ed427c
commit 31b5c8f
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 56 deletions.
diff --git a/README.md b/README.md
@@ -521,9 +521,12 @@ class SshConnectionClosedException : SshConnectionException
 
 This section lists the currently supported algorithms. If you would like support for other algorithms, you can request it with an issue in the repository. If the requested algorithm is considered insecure by current practice, it is unlikely to be added.
 
-Supported private key formats:
-- RSA in `RSA PRIVATE KEY`
-- RSA, ECDSA, ED25519 in `OPENSSH PRIVATE KEY` (`openssh-key-v1`)
+Supported private key formats*:
+- RSA, ECDSA, ED25519 in `OPENSSH PRIVATE KEY` (`openssh-key-v1`) with encryption:
+  - none
+  - aes[128|192|256]-[cbc|ctr]
+  - aes[128|256]-gcm@openssh.com
+  - chacha20-poly1305@openssh.com
 
 Supported private key encryption cyphers:
 - OpenSSH Keys `OPENSSH PRIVATE KEY` (`openssh-key-v1`)
@@ -569,6 +572,8 @@ Authentications:
 - gssapi-with-mic (`KerberosCredential`)
 - none (`NoCredential`)
 
+*: Please convert your keys (using `ssh-keygen`, `PuttyGen`, ...) to a supported format rather than suggesting the library should support an additional format. If you can motivate why the library should support a additional format, open an issue to request support.
+
 ## Design
 
 * Since SSH is a network protocol, the APIs are asynchronous and implemented using C# `async` and .NET's `Task`/`ValueTask`.

diff --git a/src/Tmds.Ssh/PrivateKeyParser.RsaPkcs1.cs b/src/Tmds.Ssh/PrivateKeyParser.RsaPkcs1.cs
diff --git a/src/Tmds.Ssh/PrivateKeyParser.cs b/src/Tmds.Ssh/PrivateKeyParser.cs
@@ -73,8 +73,6 @@ internal static PrivateKey ParsePrivateKey(ReadOnlyMemory<char> rawKey, Func<str
 
         switch (keyFormat)
         {
-            case "-----BEGIN RSA PRIVATE KEY-----":
-                return ParseRsaPkcs1PemKey(keyData, metadata);
             case "-----BEGIN OPENSSH PRIVATE KEY-----":
                 return ParseOpenSshKey(keyData, passwordPrompt);
             default:

diff --git a/test/Tmds.Ssh.Tests/PrivateKeyCredentialTests.cs b/test/Tmds.Ssh.Tests/PrivateKeyCredentialTests.cs
@@ -73,16 +73,6 @@ public async Task CtorWithRawKey()
         Assert.NotNull(privateKey);
     }
 
-    [Fact]
-    public async Task Pkcs1RsaKey()
-    {
-        await RunWithKeyConversion(_sshServer.TestUserIdentityFile, async (string localKey) =>
-        {
-            await EncryptSshKey(localKey, "PEM", null, null);
-            return new PrivateKeyCredential(localKey);
-        }, async (c) => await c.ConnectAsync());
-    }
-
     [Fact]
     public async Task FailPkcs1EncryptedRsaKey()
     {