[Openstack-security] [Bug 1613199] Re: nova does not accept ssh certificate authorities (regression)
Augustina Ragwitz
1613199 at bugs.launchpad.net
Wed Aug 17 18:07:07 UTC 2016
Here is a link to the change mentioned in the bug report -
http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
This change implemented key generation using paramiko. The cert-
authority issue has been reported to paramiko -
https://github.com/paramiko/paramiko/issues/771
I think this shows a gap in our current test coverage. We should add a
test for the "cert-authority" case as described above. I am confirming
this bug to add this test coverage.
** Bug watch added: github.com/paramiko/paramiko/issues #771
https://github.com/paramiko/paramiko/issues/771
** Changed in: nova
Status: New => Confirmed
** Changed in: nova
Assignee: (unassigned) => Augustina Ragwitz (auggy)
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1613199
Title:
nova does not accept ssh certificate authorities (regression)
Status in OpenStack Compute (nova):
Confirmed
Bug description:
Prior to commit 3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
nova/crypto.py generate_fingerprint used ssh-keygen -q -l -f <pubkey_file> to generate finger prints.
ssh-keygen -qlf is quite happy to process public key matter of the form
cert-authority ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCfHlWGrnpirvqvUTySnoQK6ze5oIXz7cYIT+XCBeBCahlK05O38g0erBGrNWFozZwbIXnysVCibaUJqtH0JrYqmcr2NnYA0PoiTeranvaJI7pQsga1gBxfK/D4UItw5yI6V7w9efMT0zpIP8WEubQz6GFtkyiNVgFCHj3+VhLs3RslvYzb35SFcLXEDsGVQM5NdWBUgRaNRqpTPvuMcxTyPvy32wW72kwaYRQioDJFcE2WJ240M2oSsx+dhTWvI8sW1sEUI1qIDfyBPsOgsLofuSpt4ZNgJqBUTp/hW85wVpNzud6A4YJWHpZXSDMtUMYE9QL+x2fw/b26yck9ZPE/
hines at tun
The issue is the string cert-authority at the beginning of the public
key matter. This form can appear in authorized_keys to enable multiple
users on a project to have individual keys certified by a central
certifying authority providing access to a single administrative
account. The use of ssh certificates is documented here:
https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-
ca-to-validate-hosts-and-clients-with-ubuntu
Steps to reproduce:
1) Place the string """
cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfHlWGrnpirvqvUTySnoQK6ze5oIXz7cYIT+XCBeBCahlK05O38g0erBGrNWFozZwbIXnysVCibaUJqtH0JrYqmcr2NnYA0PoiTeranvaJI7pQsga1gBxfK/D4UItw5yI6V7w9efMT0zpIP8WEubQz6GFtkyiNVgFCHj3+VhLs3RslvYzb35SFcLXEDsGVQM5NdWBUgRaNRqpTPvuMcxTyPvy32wW72kwaYRQioDJFcE2WJ240M2oSsx+dhTWvI8sW1sEUI1qIDfyBPsOgsLofuSpt4ZNgJqBUTp/hW85wVpNzud6A4YJWHpZXSDMtUMYE9QL+x2fw/b26yck9ZPE/ hines at tun
"""
in a file
2) run nova keypair-add --pub-key <filename> <keypair name>
Expected result:
They nova keypair-list should now list the key
Actual result:
ERROR (BadRequest): Keypair data is invalid: failed to generate fingerprint (HTTP 400)
Environment:
Openstack liberty release (bug is not present on kilo)
Logs:
Sorry, not available (I'm only a user not an admin)
Suggest fix: either:
1) revert generate_fingerprint to using exec ssh-keygen
2) generate_fingerprint should strip the string cert-authority from the begining of the public key matter (if present) before attempting to generate the fingerprint.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1613199/+subscriptions
More information about the Openstack-security
mailing list