[Openstack-security] [Bug 1483132] Related fix merged to nova (master)
OpenStack Infra
1483132 at bugs.launchpad.net
Tue May 10 18:34:08 UTC 2016
Reviewed: https://review.openstack.org/314592
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=c05b338f163e0bafbe564c6c7c593b819f2f2eac
Submitter: Jenkins
Branch: master
commit c05b338f163e0bafbe564c6c7c593b819f2f2eac
Author: Corey Wright <corey.wright at rackspace.com>
Date: Tue May 3 23:13:24 2016 -0500
crypto: Add support for Paramiko 2.x
Only use PyCrypto/PyCryptodome work-around with Paramiko 1.x and use
straight-forward Paramiko interface with 2.x.
TODO: Revert this and PyCrypto/PyCryptodome work-around when Paramiko
is upgraded to 2.x (ie replace `generate_keys(bits)` call with
`paramiko.RSAKey.generate(bits)`).
Change If88beeb3983705621fe736995939ac20b2daf1f3 added a work-around
for the partially-PyCrypto-compatible PyCryptodome causing Paramiko,
which has a dependency on PyCrypto, to break. This work-around
entails implementing Paramiko internals (ie how to generate a key) in
Nova in a way compatible with both PyCrypto and PyCryptodom.
This work-around is itself a source of failure with Paramiko 2 which
has replaced the PyCrypto requirement with the cryptography Python
package. As Paramiko no longer depends on PyCrypto, Nova doesn't have
an explicit PyCrypto requirement, and there's no implicit dependency
on PyCrypto, when Nova tries to import PyCrypto it fails. Even if
PyCrypto was installed, the work-around would still fail because the
Paramiko interface that Nova is using as part of the work-around
changed with the major version change (ie 1.x => 2.x).
Change-Id: I5d6543e690a3b4495476027fd8a4894ff8c42bf6
Related-Bug: #1483132
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1483132
Title:
ssh-keygen-to-Paramiko change breaks third-party tools
Status in OpenStack Compute (nova):
In Progress
Bug description:
Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko
library [1][2] changed (unintentionally?) the ASN.1 encoding format of
SSH private keys from DER to BER. (DER is a strict subset of BER, so
anything that can read BER can read DER, but not necessarily the other
way around.)
Some third-party tools only support DER and this has created at least
one issue [3] (specifically because Go's standard library only
supports DER).
I have provided Paramiko with a small change that makes its SSH
private key output equal to OpenSSH's ssh-keygen output (and
presumably DER formatted) [4].
Providing a change to Paramiko is just one method of addressing this
backwards-incompatibility and interoperability issue. Should the
Paramiko change be accepted the unit test output vectors will need to
be changed, but should it not, is a reversion of or modification to
Nova acceptable to maintain backwards-compatibility and
interoperability?
[1] https://review.openstack.org/157931
[2] http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
[3] https://github.com/mitchellh/packer/issues/2526
[4] https://github.com/paramiko/paramiko/pull/572
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1483132/+subscriptions
More information about the Openstack-security
mailing list