[Openstack-security] [Bug 1613199] Re: nova does not accept ssh certificate authorities (regression)

Augustina Ragwitz 1613199 at bugs.launchpad.net
Thu Aug 18 19:43:42 UTC 2016 

First off, apologies, when I first glanced at your bug I initially
thought you were reporting an issue with Nova not accepting valid public
key files. Upon further investigation, I attempted to follow your
reproduction steps by adding a public key generated by a certificate
authority and did not experience the error. When I looked at that public
key file, it did not have the prefix "cert-authority". Upon further
investigation, it looks like these libraries are working as expected for
the key files formatted per RFC 4253:
https://tools.ietf.org/html/rfc4253#section-6.6.

So the big question I have for you is what exactly is your workflow for
generating the public key that you are trying to add to nova?

** Tags removed: liberty-backport-potential security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1613199

Title:
  nova does not accept ssh certificate authorities (regression)

Status in OpenStack Compute (nova):
  Incomplete

Bug description:
  Prior to commit 3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
  nova/crypto.py generate_fingerprint used ssh-keygen -q -l -f <pubkey_file> to generate finger prints.
  ssh-keygen -qlf is quite happy to process public key matter of the form

  cert-authority ssh-rsa
  AAAAB3NzaC1yc2EAAAADAQABAAABAQCfHlWGrnpirvqvUTySnoQK6ze5oIXz7cYIT+XCBeBCahlK05O38g0erBGrNWFozZwbIXnysVCibaUJqtH0JrYqmcr2NnYA0PoiTeranvaJI7pQsga1gBxfK/D4UItw5yI6V7w9efMT0zpIP8WEubQz6GFtkyiNVgFCHj3+VhLs3RslvYzb35SFcLXEDsGVQM5NdWBUgRaNRqpTPvuMcxTyPvy32wW72kwaYRQioDJFcE2WJ240M2oSsx+dhTWvI8sW1sEUI1qIDfyBPsOgsLofuSpt4ZNgJqBUTp/hW85wVpNzud6A4YJWHpZXSDMtUMYE9QL+x2fw/b26yck9ZPE/
  hines at tun

  The issue is the string cert-authority at the beginning of the public
  key matter. This form can appear in authorized_keys to enable multiple
  users on a project to have individual keys certified by a central
  certifying authority providing access to a single administrative
  account. The use of ssh certificates is documented here:

  https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-
  ca-to-validate-hosts-and-clients-with-ubuntu

  Steps to reproduce:

  1) Place the string """
  cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfHlWGrnpirvqvUTySnoQK6ze5oIXz7cYIT+XCBeBCahlK05O38g0erBGrNWFozZwbIXnysVCibaUJqtH0JrYqmcr2NnYA0PoiTeranvaJI7pQsga1gBxfK/D4UItw5yI6V7w9efMT0zpIP8WEubQz6GFtkyiNVgFCHj3+VhLs3RslvYzb35SFcLXEDsGVQM5NdWBUgRaNRqpTPvuMcxTyPvy32wW72kwaYRQioDJFcE2WJ240M2oSsx+dhTWvI8sW1sEUI1qIDfyBPsOgsLofuSpt4ZNgJqBUTp/hW85wVpNzud6A4YJWHpZXSDMtUMYE9QL+x2fw/b26yck9ZPE/ hines at tun
  """
  in a file
  2) run nova keypair-add --pub-key <filename> <keypair name>

  Expected result:
  They nova keypair-list should now list the key

  Actual result: 
  ERROR (BadRequest): Keypair data is invalid: failed to generate fingerprint (HTTP 400)

  Environment:
  Openstack liberty release (bug is not present on kilo)

  Logs:
  Sorry, not available (I'm only a user not an admin)

  Suggest fix: either:
  1) revert generate_fingerprint to using exec ssh-keygen
  2) generate_fingerprint should strip the string cert-authority from the begining of the public key matter (if present) before attempting to generate the fingerprint.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1613199/+subscriptions

More information about the Openstack-security mailing list