Comment 2 for bug 1613199

Hi Guys,
thanks for taking an interest in this bug (I was afraid it wouldn't get any interest since very few people use this very useful feature of OpenSSHd). Acouple of things I should point out:

1) Augustina identified the commit that broke things but missed a subsequent commit to the code:

http://git.openstack.org/cgit/openstack/nova/commit/?id=452fe92787ff871417846748fc13e2a6a2899325

which moves the upstream dependency from paramiko to cryptography

2) The issue of using a cert-authority in ssh_known_hosts to authenticate hosts to users is related (and indeed they should both be fixed by the upstream dependency) but I think the issue of using a cert-authority to authenticate users (via either ~/.ssh/authorized_keys of /etc/ssh/sshd_config TrustedUserCA option) is more important.

3) Another related case of the use of SSH_FORCE_COMMAND in the authorized_keys file. I'm not sure if anyone has ever tried this (indeed it probably makes more sense as cloud-init user data) but it might be useful to be able to set a pub key with a restricted shell in nova. For example this (take from /root/.ssh/authorized_keys)

no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"debian\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgG1+9o2Bryv/1hPfRzzrZp7GmBx4NenAxNoG5koZGV/+1Y/UyeYKp8Ho7DKp2xHQbvJTLd2PcEo+mRgknnaSX/sLoxN099hMHM2T6K9shkGRLP8m+RGSTa5kWjwaDJ5rWwtH06Oj7e84sJh1Wv2IAPCmpK0PqkNcv2GFsALhVgcIW27zBb7o2Yg5yUahnpuwBcojocG172wGSsYQw7sAXPbS+W2ohtBwPeI9aL0ET3W5isKR6zcTuLmulvgMvD9qVKJGaAQMfZrlIKyDpHNUcWCOi9xk4oLBT3nAwMfzvSxMU73nNEX29L0M1eTB6ab4Lnn54rlHPOsO538TsPjt5 hines@tun

is acceptable to ssh-keygen -qlf but would fail with either paramiko or cyptography

Please let me know if there is anything I can help with or who I should submit merge requests to. I'm happy to generate test cases and fixes (just a little unsure on the appropriate procedure around here)

Cheers,
--
Chris.