@marco-voelz nevermind, i'm an idiot: i forgot about the upper-constraints.txt referenced in tox.ini, which currently contains "paramiko===1.16.0" (see https://git.openstack.org/cgit/openstack/requirements/tree/upper- constraints.txt?id=5c1dcc21174c8fdc5e4e0fbde37ae9fb96dcdeb6#n236) and therefor needs a bump to 2.0.0 (as you requested) to resolve this bug. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1483132 Title: ssh-keygen-to-Paramiko change breaks third-party tools Status in OpenStack Compute (nova): Won't Fix Bug description: Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko library [1][2] changed (unintentionally?) the ASN.1 encoding format of SSH private keys from DER to BER. (DER is a strict subset of BER, so anything that can read BER can read DER, but not necessarily the other way around.) Some third-party tools only support DER and this has created at least one issue [3] (specifically because Go's standard library only supports DER). I have provided Paramiko with a small change that makes its SSH private key output equal to OpenSSH's ssh-keygen output (and presumably DER formatted) [4]. Providing a change to Paramiko is just one method of addressing this backwards-incompatibility and interoperability issue. Should the Paramiko change be accepted the unit test output vectors will need to be changed, but should it not, is a reversion of or modification to Nova acceptable to maintain backwards-compatibility and interoperability? [1] https://review.openstack.org/157931 [2] http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a [3] https://github.com/mitchellh/packer/issues/2526 [4] https://github.com/paramiko/paramiko/pull/572 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1483132/+subscriptions