ssh-keygen-to-Paramiko change breaks third-party tools
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Low
|
Corey Wright |
Bug Description
Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko library [1][2] changed (unintentionally?) the ASN.1 encoding format of SSH private keys from DER to BER. (DER is a strict subset of BER, so anything that can read BER can read DER, but not necessarily the other way around.)
Some third-party tools only support DER and this has created at least one issue [3] (specifically because Go's standard library only supports DER).
I have provided Paramiko with a small change that makes its SSH private key output equal to OpenSSH's ssh-keygen output (and presumably DER formatted) [4].
Providing a change to Paramiko is just one method of addressing this backwards-
[1] https:/
[2] http://
[3] https:/
[4] https:/
summary: |
- ssh-keygen-to-paramiko change breaks third-party tools + ssh-keygen-to-Paramiko change breaks third-party tools |
tags: | added: encryption security |
tags: |
added: crypto removed: encryption |
Changed in nova: | |
assignee: | nobody → Eric Brown (ericwb) |
Changed in nova: | |
assignee: | Eric Brown (ericwb) → nobody |
Changed in nova: | |
status: | Won't Fix → Confirmed |
importance: | Undecided → Low |
Changed in nova: | |
assignee: | Sean Dague (sdague) → Corey Wright (coreywright) |
Note: The backport of this change to stable/kilo got stopped [1].
[1] https:/ /review. openstack. org/#/c/ 191206/