[Openstack-security] [Bug 1483132] Re: ssh-keygen-to-Paramiko change breaks third-party tools
Stanislaw Pitucha
1483132 at bugs.launchpad.net
Thu Dec 10 01:28:19 UTC 2015
I just noticed the update, so not sure if this is still an open problem,
but since paramiko still hasn't merged that pull, there's an easy
workaround on nova's side. By using pyasn1 (already in global
requirements), you nova should be able to just do:
asn1 = pyasn1.codec.ber.decode(berdata)[0]
derdata = pyasn1.codec.der.encode(ans1)
(with proper wrapping/unwrapping for base64 and other of course)
This will be compatible, even after paramiko is fixed.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1483132
Title:
ssh-keygen-to-Paramiko change breaks third-party tools
Status in OpenStack Compute (nova):
New
Bug description:
Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko
library [1][2] changed (unintentionally?) the ASN.1 encoding format of
SSH private keys from DER to BER. (DER is a strict subset of BER, so
anything that can read BER can read DER, but not necessarily the other
way around.)
Some third-party tools only support DER and this has created at least
one issue [3] (specifically because Go's standard library only
supports DER).
I have provided Paramiko with a small change that makes its SSH
private key output equal to OpenSSH's ssh-keygen output (and
presumably DER formatted) [4].
Providing a change to Paramiko is just one method of addressing this
backwards-incompatibility and interoperability issue. Should the
Paramiko change be accepted the unit test output vectors will need to
be changed, but should it not, is a reversion of or modification to
Nova acceptable to maintain backwards-compatibility and
interoperability?
[1] https://review.openstack.org/157931
[2] http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
[3] https://github.com/mitchellh/packer/issues/2526
[4] https://github.com/paramiko/paramiko/pull/572
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1483132/+subscriptions
More information about the Openstack-security
mailing list