[Yahoo-eng-team] [Bug 1613199] Re: nova should accept pre-pended comments in public keys

Tom Fifield Mon, 05 Sep 2016 19:07:09 -0700

** Changed in: nova
       Status: Invalid => New

** Tags added: ops


-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1613199

Title:
  nova should accept pre-pended comments in public keys

Status in OpenStack Compute (nova):
  New

Bug description:
  Prior to commit 3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a
  nova/crypto.py generate_fingerprint used ssh-keygen -q -l -f <pubkey_file> to 
generate finger prints.
  ssh-keygen -qlf is quite happy to process public key matter of the form

  cert-authority ssh-rsa
  
AAAAB3NzaC1yc2EAAAADAQABAAABAQCfHlWGrnpirvqvUTySnoQK6ze5oIXz7cYIT+XCBeBCahlK05O38g0erBGrNWFozZwbIXnysVCibaUJqtH0JrYqmcr2NnYA0PoiTeranvaJI7pQsga1gBxfK/D4UItw5yI6V7w9efMT0zpIP8WEubQz6GFtkyiNVgFCHj3+VhLs3RslvYzb35SFcLXEDsGVQM5NdWBUgRaNRqpTPvuMcxTyPvy32wW72kwaYRQioDJFcE2WJ240M2oSsx+dhTWvI8sW1sEUI1qIDfyBPsOgsLofuSpt4ZNgJqBUTp/hW85wVpNzud6A4YJWHpZXSDMtUMYE9QL+x2fw/b26yck9ZPE/
  hines@tun

  The issue is the string cert-authority at the beginning of the public
  key matter. This form can appear in authorized_keys to enable multiple
  users on a project to have individual keys certified by a central
  certifying authority providing access to a single administrative
  account. The use of ssh certificates is documented here:

  https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-
  ca-to-validate-hosts-and-clients-with-ubuntu

  Steps to reproduce:

  1) Place the string """
  cert-authority ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAABAQCfHlWGrnpirvqvUTySnoQK6ze5oIXz7cYIT+XCBeBCahlK05O38g0erBGrNWFozZwbIXnysVCibaUJqtH0JrYqmcr2NnYA0PoiTeranvaJI7pQsga1gBxfK/D4UItw5yI6V7w9efMT0zpIP8WEubQz6GFtkyiNVgFCHj3+VhLs3RslvYzb35SFcLXEDsGVQM5NdWBUgRaNRqpTPvuMcxTyPvy32wW72kwaYRQioDJFcE2WJ240M2oSsx+dhTWvI8sW1sEUI1qIDfyBPsOgsLofuSpt4ZNgJqBUTp/hW85wVpNzud6A4YJWHpZXSDMtUMYE9QL+x2fw/b26yck9ZPE/
 hines@tun
  """
  in a file
  2) run nova keypair-add --pub-key <filename> <keypair name>

  Expected result:
  They nova keypair-list should now list the key

  Actual result: 
  ERROR (BadRequest): Keypair data is invalid: failed to generate fingerprint 
(HTTP 400)

  Environment:
  Openstack liberty release (bug is not present on kilo)

  Logs:
  Sorry, not available (I'm only a user not an admin)

  Suggest fix: either:
  1) revert generate_fingerprint to using exec ssh-keygen
  2) generate_fingerprint should strip the string cert-authority from the 
begining of the public key matter (if present) before attempting to generate 
the fingerprint.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1613199/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1613199] Re: nova should accept pre-pended comments in public keys

Reply via email to