VanDyke Software Forums

VanDyke Software Forums (
-   General (
-   -   Allow SSH keys to be of type ECDSA (rather than only RSA and DSA) (

AlexT 08-07-2013 05:12 AM

Allow SSH keys to be of type ECDSA (rather than only RSA and DSA)
RFC 5656 defines elliptic-curve (ECDSA) key formats (host and user) for use with SSH-2, and associated ECDH key exchange methods. OpenSSH has supported these since 5.7. Most government agencies (USA, Russia, France, et al) have already switched from RSA/DSA to ECDSA.

SecureCRT does not currently support these ("Unknown file format"). That's unfortunate since it prevents users from exclusively switching to the more secure key format.

See here for more:

rtb 08-07-2013 08:50 AM

Thanks for the information AlexT.

I have created a feature request in our SecureCRT enhancement database to add support for RFC 5656. Should we add support for this in the future, we will post to this forum thread.

If you would like to be notified directly, please complete and submit the form at the following location:
Submit Feature Request

mdella 11-24-2013 09:24 AM

ECDSA Implementation....
We are moving to new 521bit keys under this method (funny, you'd think 512 would have been the number :-)) but have now required that we build "jump boxes" into semi secure areas to get to our secure machines since SecureCRT does not yet support the ECDSA protocol.

Just curious, I noticed you said you were putting it under feature requests, but I was wondering if there was an estimated timeline to doing this? I'm asking as we are putting in timelines to switching our secure desktops to something other than SecureCRT and quite honestly its easier to go with the status quo if it will (within our timelines) support where we are going with encryption.


Maureen 11-25-2013 11:00 AM

Thanks for following up on this. Due to export restrictions, we are required to submit a request to the Federal Government before this support can be added to our products. At this time, we don't t know how long this process will take. We hope that the process will go quickly enough so that support for RFC 5656 can be added to the next version of SecureCRT. What is your timeline for switching your desktops?


mdella 11-26-2013 09:12 AM

Switching our public connection policy...
Well, first a couple things... I'm only speaking for the HP Web Services group. As you know, HP is rather large and everyone is going their own different ways so its not like its a huge group you're speaking to (although us and HPCS seem to be on the forefront of much of HPs public internet directions).

As far as when, we are in the process of hand recompiling openssl and openssh to allow for ECDSA keys. Its a multistage process as we have to get the correct software on all linux boxes to begin with (meaning at this point, we have to build our own RPMs for RedHat/CentOS 6.4) then work on the key distribution system. So its a multi-month project, but just like development on your side, everything takes time :-)

I'm just trying to see if by the time we get to the end of our project, what "desktop" clients out there will be supporting our changes. Additionally something you mentioned had me a little worried as I have gone through the same process you're mentioning elsewhere. If you have to apply to the Feds for the usage of EC, then are you going to allow the use of another application to generate the keys? One of our issues is what influence is allowed in the key generation process.

So to summarize:

1. We have quite a bit of time before moving to EC (months, not weeks)
2. We have concerns of "where" EC 521-bit keys are generated and are more interested in applications that will import our keys
3. Isolation testing takes a couple weeks where we look at (from outside the program) what is being done with the keys imported


P.S. Normally we'd prefer something where we can look at the code to see whats going on, but for 95% of our users, your application is much more user friendly and not as concerning for the security aspects. Its the 5% of our operations population thats going to have to go to a code-vetted method of connection because of what they can connect to on the other side.

rtb 05-19-2015 05:36 PM

Hi All,

This post is to announce that SecureCRT/FX 7.3.3 and VShell 4.1 all support RFC 5656 (ECDSA and ECDH).

garibaldi0 06-04-2015 08:53 AM

Thanks for adding the ECDSA support!!!

On the Mac version I'm getting the following error trying to add the ECDSA key to the agent:

Adding a key to the agent failed: Agent operation failed.

This works fine on the PC version.

rtb 06-04-2015 09:53 AM

Hi garibaldi0,

Thanks for the report. We are investigating this behavior. We will post to this thread when we have more information about the behavior that you are seeing. I have been able to reproduce the behavior as well.

If you would like to be notified directly, please complete and submit the form at the following location:
Submit Bug Report

rtb 07-17-2015 05:41 PM

Hi garibaldi0, All,

SecureCRT on Mac OS X uses the OpenSSH agent included with the OS by Apple. You should contact Apple about adding OpenSSH agent support for ECDSA keys.

All times are GMT -6. The time now is 12:37 PM.