OpenStack Compute (nova)

default hash function and hash format changed in OpenSSH 6.8 (ssh-keygen)

Bug #1464298 reported by Victor Stinner on 2015-06-11

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Invalid	Low	Victor Stinner
	Kilo	Fix Released	Low	Victor Stinner	OpenStack Compute (nova) 2015.1.3

Bug Description

The following tests fail on Fedora 22 because ssh-keygen output changed in OpenSSH 6.8:

* nova.tests.unit.api.ec2.test_cloud.CloudTestCase.test_import_key_pair
* nova.tests.unit.compute.test_keypairs.ImportKeypairTestCase.test_success_ssh

Before OpenSSH used MD5 and hex with colons to display a fingerprint. It now uses SHA256 encoded to base64:

"""
* Add FingerprintHash option to ssh(1) and sshd(8), and equivalent
   command-line flags to the other tools to control algorithm used
   for key fingerprints. The default changes from MD5 to SHA256 and
   format from hex to base64.
"""
http://www.openssh.com/txt/release-6.8

Tags:

Revision history for this message

Victor Stinner (vstinner) wrote on 2015-06-11:

Oh, Nova master doesn't use ssh-keygen anymore since https://review.openstack.org/#/c/157931/ was merged?

The change was backported to Juno: https://review.openstack.org/#/c/189814/

We need maybe also to backport it to Kilo?

Revision history for this message

Victor Stinner (vstinner) wrote on 2015-06-11:

To be clear: master is not affected (works on Fedora 22), only Kilo and older versions are affected. I see how to specify affected versions on Launchpad.

Markus Zoeller (markus_z) (mzoeller) on 2015-06-12

tags:

added: crypto fedora

Markus Zoeller (markus_z) (mzoeller) on 2015-06-12

tags:

added: kilo-backport-potential

Revision history for this message

Markus Zoeller (markus_z) (mzoeller) wrote on 2015-06-12:

Kilo still uses "ssh-keygen": https://github.com/openstack/nova/blob/stable/kilo/nova/crypto.py#L163

Changed in nova:
status:	New → Confirmed

Revision history for this message

Eric Brown (ericwb) wrote on 2015-06-12:

Here's the Kilo patch:

https://review.openstack.org/#/c/191206/

Changed in nova:
assignee:	nobody → Eric Brown (ericwb)
importance:	Undecided → Low

Markus Zoeller (markus_z) (mzoeller) on 2015-06-15

Changed in nova:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-15: Fix proposed to nova (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/191847

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-15: Change abandoned on nova (stable/kilo)

Change abandoned by Eric Brown (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/191206

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-15: Change abandoned on nova (stable/juno)

Change abandoned by Artom Lifshitz (<email address hidden>) on branch: stable/juno
Review: https://review.openstack.org/189814
Reason: Abandonning because of the -2 on the corresponding kilo patch [1]. Should change to something similar to [2] once the latter is merged.

[1] https://review.openstack.org/#/c/191206/
[2] https://review.openstack.org/#/c/191847/

Eric Brown (ericwb) on 2015-06-29

Changed in nova:
assignee:	Eric Brown (ericwb) → Victor Stinner (victor-stinner)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-08: Fix merged to nova (stable/kilo)

Reviewed: https://review.openstack.org/191847
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=8280575b0b6772f1895e4df80cc74711ce12f038
Submitter: Jenkins
Branch: stable/kilo

commit 8280575b0b6772f1895e4df80cc74711ce12f038
Author: Victor Stinner <email address hidden>
Date: Mon Jun 15 16:10:45 2015 +0200

Support ssh-keygen of OpenSSH 6.8

    OpenSSH 6.8 changed the default hash method to SHA256. OpenSSH 6.7 and
    older don't support the -E command line option to specify the hash
    method.

    First try without -E since most Linux distribution for OpenStack Kilo
    still use OpenSSH 6.7. If OpenSSH 6.8 and newer is detected (hash method
    specified in the output), call again ssh-keygen with -E md5 to hash the
    fingerprint using MD5.

This change fixes the two following tests on Fedora 22:

* nova.tests.unit.api.ec2.test_cloud.CloudTestCase.test_import_key_pair
* nova.tests.unit.compute.test_keypairs.ImportKeypairTestCase.test_success_ssh

Add two unit tests mocking OpenSSH 6.7 and 6.8 outputs.

Closes-bug: #1464298
Change-Id: I867684c36377e5c1e5ca5d33e3fc2f1795f44e06

Sean Dague (sdague) on 2016-02-20

Changed in nova:
status:	In Progress → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1463405

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.