[Openstack-security] [Bug 1483132] Re: ssh-keygen-to-Paramiko change breaks third-party tools

OpenStack Infra 1483132 at bugs.launchpad.net
Wed May 11 21:20:51 UTC 2016 

Reviewed:  https://review.openstack.org/314639
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=6b1293fd6f5bcb35f317f36c540f543b1192928c
Submitter: Jenkins
Branch:    master

commit 6b1293fd6f5bcb35f317f36c540f543b1192928c
Author: Sean Dague <sean at dague.net>
Date:   Tue May 10 11:39:11 2016 -0400

    Drop paramiko < 2 compat code
    
    This drops the paramiko < 2 compatibility code so we only need to
    support one major version.
    
    Depends-On: I2369638282b4fefccd8484a5039fcfa9795069a7
    (global requirements change)
    
    Change-Id: Ife4df9e64299e1182d77d568d1deed5ec3b608b3
    Closes-Bug: #1483132


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1483132

Title:
  ssh-keygen-to-Paramiko change breaks third-party tools

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko
  library [1][2] changed (unintentionally?) the ASN.1 encoding format of
  SSH private keys from DER to BER.  (DER is a strict subset of BER, so
  anything that can read BER can read DER, but not necessarily the other
  way around.)

  Some third-party tools only support DER and this has created at least
  one issue [3] (specifically because Go's standard library only
  supports DER).

  I have provided Paramiko with a small change that makes its SSH
  private key output equal to OpenSSH's ssh-keygen output (and
  presumably DER formatted) [4].

  Providing a change to Paramiko is just one method of addressing this
  backwards-incompatibility and interoperability issue.  Should the
  Paramiko change be accepted the unit test output vectors will need to
  be changed, but should it not, is a reversion of or modification to
  Nova acceptable to maintain backwards-compatibility and
  interoperability?

  [1] https://review.openstack.org/157931
  [2] http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
  [3] https://github.com/mitchellh/packer/issues/2526
  [4] https://github.com/paramiko/paramiko/pull/572

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1483132/+subscriptions

More information about the Openstack-security mailing list