yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1613199] Re: nova does not accept ssh certificate authorities (regression)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Augustina Ragwitz <1613199@xxxxxxxxxxxxxxxxxx>
Date: Thu, 18 Aug 2016 23:02:14 -0000
Reply-to: Bug 1613199 <1613199@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This seems to me to be more of a feature request than an actual bug. If
you'd like Nova to support prepended comments in public keys, feel free
to propose it per our blueprint process.

https://wiki.openstack.org/wiki/Blueprints


** Changed in: nova
       Status: Incomplete => Invalid

** Changed in: nova
     Assignee: Augustina Ragwitz (auggy) => (unassigned)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1613199

Title:
  nova does not accept ssh certificate authorities (regression)

Status in OpenStack Compute (nova):
  Invalid

Bug description:
  Prior to commit 3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
  nova/crypto.py generate_fingerprint used ssh-keygen -q -l -f <pubkey_file> to generate finger prints.
  ssh-keygen -qlf is quite happy to process public key matter of the form

  cert-authority ssh-rsa
  AAAAB3NzaC1yc2EAAAADAQABAAABAQCfHlWGrnpirvqvUTySnoQK6ze5oIXz7cYIT+XCBeBCahlK05O38g0erBGrNWFozZwbIXnysVCibaUJqtH0JrYqmcr2NnYA0PoiTeranvaJI7pQsga1gBxfK/D4UItw5yI6V7w9efMT0zpIP8WEubQz6GFtkyiNVgFCHj3+VhLs3RslvYzb35SFcLXEDsGVQM5NdWBUgRaNRqpTPvuMcxTyPvy32wW72kwaYRQioDJFcE2WJ240M2oSsx+dhTWvI8sW1sEUI1qIDfyBPsOgsLofuSpt4ZNgJqBUTp/hW85wVpNzud6A4YJWHpZXSDMtUMYE9QL+x2fw/b26yck9ZPE/
  hines@tun

  The issue is the string cert-authority at the beginning of the public
  key matter. This form can appear in authorized_keys to enable multiple
  users on a project to have individual keys certified by a central
  certifying authority providing access to a single administrative
  account. The use of ssh certificates is documented here:

  https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-
  ca-to-validate-hosts-and-clients-with-ubuntu

  Steps to reproduce:

  1) Place the string """
  cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfHlWGrnpirvqvUTySnoQK6ze5oIXz7cYIT+XCBeBCahlK05O38g0erBGrNWFozZwbIXnysVCibaUJqtH0JrYqmcr2NnYA0PoiTeranvaJI7pQsga1gBxfK/D4UItw5yI6V7w9efMT0zpIP8WEubQz6GFtkyiNVgFCHj3+VhLs3RslvYzb35SFcLXEDsGVQM5NdWBUgRaNRqpTPvuMcxTyPvy32wW72kwaYRQioDJFcE2WJ240M2oSsx+dhTWvI8sW1sEUI1qIDfyBPsOgsLofuSpt4ZNgJqBUTp/hW85wVpNzud6A4YJWHpZXSDMtUMYE9QL+x2fw/b26yck9ZPE/ hines@tun
  """
  in a file
  2) run nova keypair-add --pub-key <filename> <keypair name>

  Expected result:
  They nova keypair-list should now list the key

  Actual result: 
  ERROR (BadRequest): Keypair data is invalid: failed to generate fingerprint (HTTP 400)

  Environment:
  Openstack liberty release (bug is not present on kilo)

  Logs:
  Sorry, not available (I'm only a user not an admin)

  Suggest fix: either:
  1) revert generate_fingerprint to using exec ssh-keygen
  2) generate_fingerprint should strip the string cert-authority from the begining of the public key matter (if present) before attempting to generate the fingerprint.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1613199/+subscriptions

References

[Bug 1613199] [NEW] nova does not accept ssh certificate authorities (regression)
From: Chris Hines, 2016-08-15