[Openstack-security] [Bug 1483132] Re: ssh-keygen-to-Paramiko change breaks third-party tools

Corey Wright corey.wright at rackspace.com
Fri May 6 13:35:28 UTC 2016 

The attached patch allows nova ("master" branch as of May 3 / HEAD
commit 8185dcb57e55f7579b60040649fcd0588177d714) to pass unit tests with
either Paramiko 1.x or 2.x.

Nova will probably not support both Paramiko 1.x and 2.x simultaneously
(due to upper-constraints.txt pinning Paramiko to a specific release;
currently it is "1.16.0", but that will probably be changed to "2.0.0"
or such), so my patch also includes comments on how to remove the
Paramiko 1.x work-around and simply and directly use the appropriate and
original Paramiko interface (ie revert change
If88beeb3983705621fe736995939ac20b2daf1f3 / commit
1fd0f4f69b21cbd20c0eb0e2f8f4506061f4a211).

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1483132

Title:
  ssh-keygen-to-Paramiko change breaks third-party tools

Status in OpenStack Compute (nova):
  Won't Fix

Bug description:
  Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko
  library [1][2] changed (unintentionally?) the ASN.1 encoding format of
  SSH private keys from DER to BER.  (DER is a strict subset of BER, so
  anything that can read BER can read DER, but not necessarily the other
  way around.)

  Some third-party tools only support DER and this has created at least
  one issue [3] (specifically because Go's standard library only
  supports DER).

  I have provided Paramiko with a small change that makes its SSH
  private key output equal to OpenSSH's ssh-keygen output (and
  presumably DER formatted) [4].

  Providing a change to Paramiko is just one method of addressing this
  backwards-incompatibility and interoperability issue.  Should the
  Paramiko change be accepted the unit test output vectors will need to
  be changed, but should it not, is a reversion of or modification to
  Nova acceptable to maintain backwards-compatibility and
  interoperability?

  [1] https://review.openstack.org/157931
  [2] http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
  [3] https://github.com/mitchellh/packer/issues/2526
  [4] https://github.com/paramiko/paramiko/pull/572

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1483132/+subscriptions

More information about the Openstack-security mailing list