[Openstack-security] [Bug 1483132] Re: ssh-keygen-to-Paramiko change breaks third-party tools

Corey Wright corey.wright at rackspace.com
Fri May 6 13:43:45 UTC 2016 

@marco-voelz

I'm not familiar with how OpenStack manages the upper-constraint.txt
file (as that file is doubtfully specific to Nova, but merely used by
it).

The best course of action is probably to ping sdague on IRC and ask him
the best course of action (as he was the last Nova core reviewer to
touch this bug), but any Nova core reviewer should suffice:

1. Open a new bug?

2. Merge the attached patch so that Nova supports both 1.x and 2.x
independent of when Paramiko's constraint is upgraded?

3. Prepare a patch that is specific to only Paramiko 2.x (ignoring
Paramiko 1.x) and will be merged immediately following the Paramiko
constraint being "upgraded" from 1.x to 2.x?

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1483132

Title:
  ssh-keygen-to-Paramiko change breaks third-party tools

Status in OpenStack Compute (nova):
  Won't Fix

Bug description:
  Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko
  library [1][2] changed (unintentionally?) the ASN.1 encoding format of
  SSH private keys from DER to BER.  (DER is a strict subset of BER, so
  anything that can read BER can read DER, but not necessarily the other
  way around.)

  Some third-party tools only support DER and this has created at least
  one issue [3] (specifically because Go's standard library only
  supports DER).

  I have provided Paramiko with a small change that makes its SSH
  private key output equal to OpenSSH's ssh-keygen output (and
  presumably DER formatted) [4].

  Providing a change to Paramiko is just one method of addressing this
  backwards-incompatibility and interoperability issue.  Should the
  Paramiko change be accepted the unit test output vectors will need to
  be changed, but should it not, is a reversion of or modification to
  Nova acceptable to maintain backwards-compatibility and
  interoperability?

  [1] https://review.openstack.org/157931
  [2] http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
  [3] https://github.com/mitchellh/packer/issues/2526
  [4] https://github.com/paramiko/paramiko/pull/572

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1483132/+subscriptions

More information about the Openstack-security mailing list