← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1483132] [NEW] ssh-keygen-to-Paramiko change breaks third-party tools

 

Public bug reported:

Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko
library [1][2] changed (unintentionally?) the ASN.1 encoding format of
SSH private keys from DER to BER.  (DER is a strict subset of BER, so
anything that can read BER can read DER, but not necessarily the other
way around.)

Some third-party tools only support DER and this has created at least
one issue [3] (specifically because Go's standard library only supports
DER).

I have provided Paramiko with a small change that makes its SSH private
key output equal to OpenSSH's ssh-keygen output (and presumably DER
formatted) [4].

Providing a change to Paramiko is just one method of addressing this
backwards-incompatibility and interoperability issue.  Should the
Paramiko change be accepted the unit test output vectors will need to be
changed, but should it not, is a reversion of or modification to Nova
acceptable to maintain backwards-compatibility and interoperability?

[1] https://review.openstack.org/157931
[2] http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
[3] https://github.com/mitchellh/packer/issues/2526
[4] https://github.com/paramiko/paramiko/pull/572

** Affects: nova
     Importance: Undecided
         Status: New

** Summary changed:

- ssh-keygen-to-paramiko change breaks third-party tools
+ ssh-keygen-to-Paramiko change breaks third-party tools

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1483132

Title:
  ssh-keygen-to-Paramiko change breaks third-party tools

Status in OpenStack Compute (nova):
  New

Bug description:
  Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko
  library [1][2] changed (unintentionally?) the ASN.1 encoding format of
  SSH private keys from DER to BER.  (DER is a strict subset of BER, so
  anything that can read BER can read DER, but not necessarily the other
  way around.)

  Some third-party tools only support DER and this has created at least
  one issue [3] (specifically because Go's standard library only
  supports DER).

  I have provided Paramiko with a small change that makes its SSH
  private key output equal to OpenSSH's ssh-keygen output (and
  presumably DER formatted) [4].

  Providing a change to Paramiko is just one method of addressing this
  backwards-incompatibility and interoperability issue.  Should the
  Paramiko change be accepted the unit test output vectors will need to
  be changed, but should it not, is a reversion of or modification to
  Nova acceptable to maintain backwards-compatibility and
  interoperability?

  [1] https://review.openstack.org/157931
  [2] http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
  [3] https://github.com/mitchellh/packer/issues/2526
  [4] https://github.com/paramiko/paramiko/pull/572

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1483132/+subscriptions


Follow ups