What are the key file formats of JSch and sharpSSH?

Question

I'm looking at setting up public key client and server authentication for SFTP using the JSch library (or actually the sharpSSH C# port of it). Unfortunately I cannot find any documentation for the file formats used by the key loading functions:

jsch.addIdentity(filename, passphrase);
jsch.setKnownHosts(filename);

What file format is used by the private key and known hosts files?

Answer 1

JSch uses the OpenSSH key file format (both for public and private keys). I didn't find a specification of this format, but you can use OpenSSH's ssh-keygen tool to convert the keys from/to other formats (and Google will show other tools of converting from/to even more formats).

Update: After asking on the OpenSSH mailing list and reading some RFC's, it looks like OpenSSH's public key file contains (for version 2 keys) the public key as specified in RFC 4253 (section 6.6), just with a base64-wrapping around it (and the key type as prefix, and a comment field as postfix). I still didn't yet find a specification for the private key file.

Unfortunately, the official documentation for JSch is almost nonexistent, but I did write some Javadocs for it. (Though it seems not to mention the key file format ... I'll have to fix this.) There is also the Manual in the JSch Wiki, containing a page about public key authentication (which also doesn't mention the key format yet :-/).

The known hosts file is also in the same format as the corresponding file of the OpenSSH client. It's format is explained in OpenSSH's sshd manual page, section SSH KNOWN HOSTS FILE FORMAT:

Each line in these files contains the following fields: markers (optional), hostnames, bits, exponent, modulus, comment. The fields are separated by spaces.

This is actually only correct for SSH 1 RSA keys. For SSH 2 keys, you have a type identifier (ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-dss or ssh-rsa) and then the key in base-64 encoded form. (See a bit up in the same manual page, for the authorized keys file). (I think JSch only supports the DSA and RSA key formats, no ECDSA.)

Note that the lines in these files are typically hundreds of characters long, and you definitely don't want to type in the host keys by hand. Rather, generate them by a script, ssh-keyscan(1) or by taking /etc/ssh/ssh_host_key.pub and adding the host names at the front. ssh-keygen(1) also offers some basic automated editing for ~/.ssh/known_hosts including removing hosts matching a host name and converting all host names to their hashed representations.