[Openstack-security] [Bug 1483132] Re: ssh-keygen-to-Paramiko change breaks third-party tools

Corey Wright corey.wright at rackspace.com
Mon May 2 03:21:12 UTC 2016 

@marco-voelz

as the current nova requirements on the "master" branch are
"paramiko>=1.16.0" (see
http://git.openstack.org/cgit/openstack/nova/tree/requirements.txt?id=5bafd5fba508174f557acfeddbf85de0438c51d7#n24)
i believe paramiko 2.0.0 will be pulled in for all future releases
(though this also means that unit tests will break / are breaking as
they were changed to ber with the original commit (that prompted this
"bug" report) and need to change back to the original der.

@all

for the record my PR (see https://github.com/paramiko/paramiko/pull/572)
was not merged, but the larger pycrypto-to-cryptography PR (see
https://github.com/paramiko/paramiko/pull/394), which obviated my PR,
was merged and present in paramiko 2.0.0.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1483132

Title:
  ssh-keygen-to-Paramiko change breaks third-party tools

Status in OpenStack Compute (nova):
  Won't Fix

Bug description:
  Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko
  library [1][2] changed (unintentionally?) the ASN.1 encoding format of
  SSH private keys from DER to BER.  (DER is a strict subset of BER, so
  anything that can read BER can read DER, but not necessarily the other
  way around.)

  Some third-party tools only support DER and this has created at least
  one issue [3] (specifically because Go's standard library only
  supports DER).

  I have provided Paramiko with a small change that makes its SSH
  private key output equal to OpenSSH's ssh-keygen output (and
  presumably DER formatted) [4].

  Providing a change to Paramiko is just one method of addressing this
  backwards-incompatibility and interoperability issue.  Should the
  Paramiko change be accepted the unit test output vectors will need to
  be changed, but should it not, is a reversion of or modification to
  Nova acceptable to maintain backwards-compatibility and
  interoperability?

  [1] https://review.openstack.org/157931
  [2] http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
  [3] https://github.com/mitchellh/packer/issues/2526
  [4] https://github.com/paramiko/paramiko/pull/572

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1483132/+subscriptions

More information about the Openstack-security mailing list