Sign arbitrary data with your SSH keys

You can actually use openssl with RSA keys generated by ssh-keygen to sign also, and this has worked for a long time.

https://www.linuxjournal.com/content/flat-file-encryption-op...

You will have to generate an openssl-compatible public key:

    openssl rsa -in ~/.ssh/id_rsa -pubout -out ~/.ssh/id_rsa.pub.openssl

To sign:

    openssl dgst -sha256 -sign ~/.ssh/id_rsa -out known_hosts.sha256 known_hosts

To verify:

    openssl dgst -sha256 -verify ~/.ssh/id_rsa.pub.openssl -signature known_hosts.sha256 known_hosts

Here is a little script to automate this:

    $ cat rsign 
    #!/bin/sh

    set -eu # http://redsymbol.net/articles/unofficial-bash-strict-mode/

    case "$(basename "$0")" in

    rsign)
      for n
      do openssl dgst -sha256 -sign ~/.ssh/id_rsa -out "$n".sha256 "$n"
      done ;;

    rchek)
      for n
      do printf "$n "
         openssl dgst -sha256 -verify ~/.ssh/id_rsa.pub.openssl \
           -signature "${n}.sha256" "$n"
      done ;;

    esac



    $ cp /etc/passwd /etc/group /etc/hosts .

    $ ./rsign passwd group hosts

    $ ls -l *.sha256
    -rw-r--r-- 1 luser lgroup 256 Nov 12 13:21 group.sha256
    -rw-r--r-- 1 luser lgroup 256 Nov 12 13:21 hosts.sha256
    -rw-r--r-- 1 luser lgroup 256 Nov 12 13:21 passwd.sha256

    $ ln rsign rchek

    $ ./rchek passwd group hosts
    passwd Verified OK
    group Verified OK
    hosts Verified OK

A major problem with doing this is that you have to worry about cross-protocol attacks because there is no namespace parameter like there is with SSH signatures. SSH signatures provide the necessary structure to safely use a single key for multiple purposes.

It's true, I do remember the DROWN exploit relying upon keys presented over differing protocols.

It doesn't take long to generate an RSA key, though. A dedicated signing key would seem to be the obvious thing to do.

https://en.wikipedia.org/wiki/DROWN_attack