Launchpad itself

Launchpad shouldn't accept malformed ssh keys

Bug #230144 reported by Tom Haddon
48
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Low
Colin Watson

Bug Description

As discovered when determining which keys were compromised in the LP DB, we currently seem to accept malformed ssh keys. It would be good to only accept valid ssh keys, and then to remove all invalid ones.

See original description

Related branches

lp:~cjwatson/launchpad/reject-bad-ssh-keys
Maximiliano Bertacchini (community): Approve
Launchpad code reviewers: Pending requested
Diff: 333 lines (+89/-44)
7 files modified
lib/lp/registry/browser/tests/test_person_webservice.py (+7/-6)
lib/lp/registry/browser/tests/test_sshkey.py (+2/-2)
lib/lp/registry/interfaces/ssh.py (+9/-6)
lib/lp/registry/model/person.py (+13/-3)
lib/lp/registry/tests/test_personset.py (+8/-7)
lib/lp/registry/tests/test_ssh.py (+20/-11)
lib/lp/testing/factory.py (+30/-9)
Revision history for this message
Diogo Matsubara (matsubara) wrote :

What do you mean by invalid? Invalid as a malformed ssh key? Or vulnerable keys?

If you mean vulnerable, this is being fixed by bug 229986. I've checked with salgado and his patch doesn't check if the key is malformed or somewhat invalid.

Changed in launchpad:
status: New → Confirmed
status: Confirmed → Incomplete
Revision history for this message
Tom Haddon (mthaddon) wrote :

I mean malformed. Sorry for not clarifying that.

Diogo Matsubara (matsubara)
description: updated
Changed in launchpad:
status: Incomplete → Confirmed
Curtis Hovey (sinzui)
Changed in launchpad-registry:
importance: Undecided → Low
status: Confirmed → Triaged
Revision history for this message
Andrew Bennetts (spiv) wrote :

Copying a comment from duplicate bug 324120, because it's too easy to miss comments from dupes:

“So the root cause in this [bug 324120's] case seems to be that because Launchpad doesn't understand Putty's publickey file format, users have to do complicated things that are easy to get wrong. If Launchpad accepted Putty-style key files, then this wouldn't happen (and the CreatingAnSSHKeyPair instructions would get simpler). So perhaps that would be a more complete fix.”

That is, even better than rejecting malformed keys is turning them into well-formed keys and accepting them :)

Curtis Hovey (sinzui)
tags: added: ssh
removed: registry
Colin Watson (cjwatson)
Changed in launchpad:
assignee: nobody → Colin Watson (cjwatson)
status: Triaged → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r18565 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18565>.

tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.