yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1613199] [NEW] nova does not accept ssh certificate authorities (regression)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Chris Hines <chris.hines@xxxxxxxxxx>
Date: Mon, 15 Aug 2016 07:58:45 -0000
Reply-to: Bug 1613199 <1613199@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Prior to commit 3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
nova/crypto.py generate_fingerprint used ssh-keygen -q -l -f <pubkey_file> to generate finger prints.
ssh-keygen -qlf is quite happy to process public key matter of the form

cert-authority ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCfHlWGrnpirvqvUTySnoQK6ze5oIXz7cYIT+XCBeBCahlK05O38g0erBGrNWFozZwbIXnysVCibaUJqtH0JrYqmcr2NnYA0PoiTeranvaJI7pQsga1gBxfK/D4UItw5yI6V7w9efMT0zpIP8WEubQz6GFtkyiNVgFCHj3+VhLs3RslvYzb35SFcLXEDsGVQM5NdWBUgRaNRqpTPvuMcxTyPvy32wW72kwaYRQioDJFcE2WJ240M2oSsx+dhTWvI8sW1sEUI1qIDfyBPsOgsLofuSpt4ZNgJqBUTp/hW85wVpNzud6A4YJWHpZXSDMtUMYE9QL+x2fw/b26yck9ZPE/
hines@tun

The issue is the string cert-authority at the beginning of the public
key matter. This form can appear in authorized_keys to enable multiple
users on a project to have individual keys certified by a central
certifying authority providing access to a single administrative
account. The use of ssh certificates is documented here:

https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-
ca-to-validate-hosts-and-clients-with-ubuntu

Steps to reproduce:

1) Place the string """
cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfHlWGrnpirvqvUTySnoQK6ze5oIXz7cYIT+XCBeBCahlK05O38g0erBGrNWFozZwbIXnysVCibaUJqtH0JrYqmcr2NnYA0PoiTeranvaJI7pQsga1gBxfK/D4UItw5yI6V7w9efMT0zpIP8WEubQz6GFtkyiNVgFCHj3+VhLs3RslvYzb35SFcLXEDsGVQM5NdWBUgRaNRqpTPvuMcxTyPvy32wW72kwaYRQioDJFcE2WJ240M2oSsx+dhTWvI8sW1sEUI1qIDfyBPsOgsLofuSpt4ZNgJqBUTp/hW85wVpNzud6A4YJWHpZXSDMtUMYE9QL+x2fw/b26yck9ZPE/ hines@tun
"""
in a file
2) run nova keypair-add --pub-key <filename> <keypair name>

Expected result:
They nova keypair-list should now list the key

Actual result: 
ERROR (BadRequest): Keypair data is invalid: failed to generate fingerprint (HTTP 400)

Environment:
Openstack liberty release (bug is not present on kilo)

Logs:
Sorry, not available (I'm only a user not an admin)

Suggest fix: either:
1) revert generate_fingerprint to using exec ssh-keygen
2) generate_fingerprint should strip the string cert-authority from the begining of the public key matter (if present) before attempting to generate the fingerprint.

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1613199

Title:
  nova does not accept ssh certificate authorities (regression)

Status in OpenStack Compute (nova):
  New

Bug description:
  Prior to commit 3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
  nova/crypto.py generate_fingerprint used ssh-keygen -q -l -f <pubkey_file> to generate finger prints.
  ssh-keygen -qlf is quite happy to process public key matter of the form

  cert-authority ssh-rsa
  AAAAB3NzaC1yc2EAAAADAQABAAABAQCfHlWGrnpirvqvUTySnoQK6ze5oIXz7cYIT+XCBeBCahlK05O38g0erBGrNWFozZwbIXnysVCibaUJqtH0JrYqmcr2NnYA0PoiTeranvaJI7pQsga1gBxfK/D4UItw5yI6V7w9efMT0zpIP8WEubQz6GFtkyiNVgFCHj3+VhLs3RslvYzb35SFcLXEDsGVQM5NdWBUgRaNRqpTPvuMcxTyPvy32wW72kwaYRQioDJFcE2WJ240M2oSsx+dhTWvI8sW1sEUI1qIDfyBPsOgsLofuSpt4ZNgJqBUTp/hW85wVpNzud6A4YJWHpZXSDMtUMYE9QL+x2fw/b26yck9ZPE/
  hines@tun

  The issue is the string cert-authority at the beginning of the public
  key matter. This form can appear in authorized_keys to enable multiple
  users on a project to have individual keys certified by a central
  certifying authority providing access to a single administrative
  account. The use of ssh certificates is documented here:

  https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-
  ca-to-validate-hosts-and-clients-with-ubuntu

  Steps to reproduce:

  1) Place the string """
  cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfHlWGrnpirvqvUTySnoQK6ze5oIXz7cYIT+XCBeBCahlK05O38g0erBGrNWFozZwbIXnysVCibaUJqtH0JrYqmcr2NnYA0PoiTeranvaJI7pQsga1gBxfK/D4UItw5yI6V7w9efMT0zpIP8WEubQz6GFtkyiNVgFCHj3+VhLs3RslvYzb35SFcLXEDsGVQM5NdWBUgRaNRqpTPvuMcxTyPvy32wW72kwaYRQioDJFcE2WJ240M2oSsx+dhTWvI8sW1sEUI1qIDfyBPsOgsLofuSpt4ZNgJqBUTp/hW85wVpNzud6A4YJWHpZXSDMtUMYE9QL+x2fw/b26yck9ZPE/ hines@tun
  """
  in a file
  2) run nova keypair-add --pub-key <filename> <keypair name>

  Expected result:
  They nova keypair-list should now list the key

  Actual result: 
  ERROR (BadRequest): Keypair data is invalid: failed to generate fingerprint (HTTP 400)

  Environment:
  Openstack liberty release (bug is not present on kilo)

  Logs:
  Sorry, not available (I'm only a user not an admin)

  Suggest fix: either:
  1) revert generate_fingerprint to using exec ssh-keygen
  2) generate_fingerprint should strip the string cert-authority from the begining of the public key matter (if present) before attempting to generate the fingerprint.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1613199/+subscriptions

Follow ups

[Bug 1613199] Re: nova should accept pre-pended comments in public keys
From: Tom Fifield, 2016-09-06
[Bug 1613199] Re: nova does not accept ssh certificate authorities (regression)
From: Augustina Ragwitz, 2016-08-18