yahoo-eng-team team mailing list archive

[OpenStack Infra <1555521@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/667765
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=6caedfd97675940eb3cf07e2f019926dae45d02c
Submitter: Zuul
Branch:    master

commit 6caedfd97675940eb3cf07e2f019926dae45d02c
Author: melanie witt <melwittt@xxxxxxxxx>
Date:   Wed Jun 26 23:25:48 2019 +0000

    Require at least cryptography>=2.7
    
    Version 2.6 of the cryptography library [1] added support for ed25519
    ssh keys. This works with OpenSSL >= 1.1.1b.
    
    In nova, we can enable people to use ed25519 ssh keys by using the
    necessary cryptography library version. Users must make sure they have
    a new enough OpenSSL version, else they won't be able to generate
    ed25519 ssh keys using ssh-keygen in the first place. I did a local
    test using Ubuntu 18.04 and things "just worked" when I generated a
    ed25519 ssh key and imported it into nova. I left a comment on the
    launchpad bug accordingly.
    
    This updates our minimum version to the latest available version 2.7.
    
    Closes-Bug: #1555521
    
    [1] https://cryptography.io/en/latest/changelog/#v2-6
    
    Change-Id: Id4a4e1ae4c0acd40c1fc32c3b82a8d8a62d4624d


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1555521

Title:
  "failed to generate fingerprint" when importing ed25519 key

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  While RSA keys are most established, and still prevalent, ed25519 are
  gaining significance. However, trying to import an ed25519 pubkey
  fails:

  ==> /var/log/nova/nova-api.log <==
  2016-03-10 09:52:09.538 2823 INFO nova.api.openstack.wsgi [req-e9474955-458c-4cf0-b8ca-fcbd4129824d 133e8f3fc1ad43efa9e7bd2401282ebd 801bf0d65c9646118905853d5615f6ee - - -] HTTP exception thrown: Keypair data is invalid: failed to generate fingerprint
  2016-03-10 09:52:09.539 2823 INFO nova.osapi_compute.wsgi.server [req-e9474955-458c-4cf0-b8ca-fcbd4129824d 133e8f3fc1ad43efa9e7bd2401282ebd 801bf0d65c9646118905853d5615f6ee - - -] 172.25.16.58 "POST /v2/801bf0d65c9646118905853d5615f6ee/os-keypairs HTTP/1.1" status: 400 len: 319 time: 0.0246069

  In this example, it was tried to upload the key through Horizon, but
  the error occured in Nova as shown above.

  This was using the latest ci-passed Mitaka packages from RDO on CentOS
  7:

  [root@red-test ~]# rpm -qa | grep openstack-nova
  openstack-nova-conductor-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch
  openstack-nova-scheduler-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch
  openstack-nova-common-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch
  openstack-nova-console-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch
  openstack-nova-cert-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch
  openstack-nova-api-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch
  openstack-nova-novncproxy-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch
  openstack-nova-compute-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch

  To generate an ed25519 key to try this yourself, simply run:
  ssh-keygen -t ed25519

  Note, that support for ed25519 in openssl (and openssh) is only
  available in somewhat modern distributions (CentOS 7, Fedora and
  Ubuntu should be fine).

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1555521/+subscriptions