OpenStack Compute (nova)

EncryptionFailure: Failed to encrypt text: ssh-keygen: illegal option -- m

Bug #1102501 reported by Johannes Erdfelt
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
Davanum Srinivas (DIMS)
OpenStack Compute (nova) 2013.1 "grizzly"

Bug Description

A recent change (daa5db3f4e990185522f38d1011cfe37141298fe) requires a recently added feature of ssh-keygen to operate. If running a slightly older version, tests fail with this traceback:

======================================================================
ERROR: nova.tests.test_crypto.EncryptionTests.test_ssh_encrypt_decrypt_text
tags: worker-1
----------------------------------------------------------------------
Empty attachments:
  pythonlogging:'nova'
  stderr
  stdout

Traceback (most recent call last):
  File "/var/lib/jenkins/workspace/nova-virtualenv-debian6/nova/nova/tests/test_crypto.py", line 207, in test_ssh_encrypt_decrypt_text
    enc = crypto.ssh_encrypt_text(self.pubkey, self.text)
  File "/var/lib/jenkins/workspace/nova-virtualenv-debian6/nova/nova/crypto.py", line 211, in ssh_encrypt_text
    raise exception.EncryptionFailure(reason=exc.stderr)
EncryptionFailure: Failed to encrypt text: ssh-keygen: illegal option -- m
usage: ssh-keygen [options]
Options:
  -a trials Number of trials for screening DH-GEX moduli.
  -B Show bubblebabble digest of key file.
  -b bits Number of bits in the key to create.
  -C comment Provide new comment.
  -c Change comment in private and public key files.
  -D pkcs11 Download public key from pkcs11 token.
  -e Convert OpenSSH to RFC 4716 key file.
  -F hostname Find hostname in known hosts file.
  -f filename Filename of the key file.
  -G file Generate candidates for DH-GEX moduli.
  -g Use generic DNS resource record format.
  -H Hash names in known_hosts file.
  -h Generate host certificate instead of a user certificate.
  -I key_id Key identifier to include in certificate.
  -i Convert RFC 4716 to OpenSSH key file.
  -L Print the contents of a certificate.
  -l Show fingerprint of key file.
  -M memory Amount of memory (MB) to use for generating DH-GEX moduli.
  -n name,... User/host principal names to include in certificate
  -N phrase Provide new passphrase.
  -O cnstr Specify a certificate constraint.
  -P phrase Provide old passphrase.
  -p Change passphrase of private key file.
  -q Quiet.
  -R hostname Remove host from known_hosts file.
  -r hostname Print DNS resource record.
  -s ca_key Certify keys with CA key.
  -S start Start point (hex) for generating DH-GEX moduli.
  -T file Screen candidates for DH-GEX moduli.
  -t type Specify type of key to create.
  -V from:to Specify certificate validity interval.
  -v Verbose.
  -W gen Generator to use for generating DH-GEX moduli.
  -y Read private key file and print public key.

This is using OpenSSH 5.5p1 (found in Debian Squeeze). RHEL/CentOS 6 still uses OpenSSH 5.3p1 which also does not have the -m option.

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote :

Are we looking for a way for the feature to work or skip the tests when ssh-keygen does not support the option?

Changed in nova:
status: New → Confirmed
Revision history for this message
Johannes Erdfelt (johannes.erdfelt) wrote :

I think it's necessary for the feature to work. This change causes problems on the latest released versions of Debian and RHEL/CentOS (at a minimum).

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote :

Looks like there is a way to do it in python
http://blog-oddbit-com.blogspot.com/2011/05/converting-openssh-public-keys.html
https://coderwall.com/p/nsqzsw

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/21186

Changed in nova:
assignee: nobody → Davanum Srinivas (DIMS) (dims-v)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/21186
Committed: http://github.com/openstack/nova/commit/8d3933d3a12f94b71cf81d86a5c0aa8f63796277
Submitter: Jenkins
Branch: master

commit 8d3933d3a12f94b71cf81d86a5c0aa8f63796277
Author: Davanum Srinivas <email address hidden>
Date: Mon Feb 4 22:35:09 2013 -0500

    replace ssh-keygen -m with a python equivalent

    When running on latest released versions of Debian and RHEL/CentOS
    we get Encryption failure with "ssh-keygen: illegal option -- m"

    Fixes LP# 1102501

    Change-Id: Ia54bf8f3e8d51c8baa09ba67d2e18ad214316989
    NOTE: new dependency on pyasn1 python module

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → grizzly-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: grizzly-3 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.