[Openstack-security] [Bug 1483132] Re: ssh-keygen-to-Paramiko change breaks third-party tools
Sean Dague
sean at dague.net
Fri Feb 19 20:50:33 UTC 2016
I do feel like private key format is not part of the nova contract. I'm
sorry Go tools are so limitted with what they support. The right path is
working with upstream paramiko on this.
** Changed in: nova
Status: New => Won't Fix
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1483132
Title:
ssh-keygen-to-Paramiko change breaks third-party tools
Status in OpenStack Compute (nova):
Won't Fix
Bug description:
Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko
library [1][2] changed (unintentionally?) the ASN.1 encoding format of
SSH private keys from DER to BER. (DER is a strict subset of BER, so
anything that can read BER can read DER, but not necessarily the other
way around.)
Some third-party tools only support DER and this has created at least
one issue [3] (specifically because Go's standard library only
supports DER).
I have provided Paramiko with a small change that makes its SSH
private key output equal to OpenSSH's ssh-keygen output (and
presumably DER formatted) [4].
Providing a change to Paramiko is just one method of addressing this
backwards-incompatibility and interoperability issue. Should the
Paramiko change be accepted the unit test output vectors will need to
be changed, but should it not, is a reversion of or modification to
Nova acceptable to maintain backwards-compatibility and
interoperability?
[1] https://review.openstack.org/157931
[2] http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
[3] https://github.com/mitchellh/packer/issues/2526
[4] https://github.com/paramiko/paramiko/pull/572
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1483132/+subscriptions
More information about the Openstack-security
mailing list