Hi Guys,
thanks for taking an interest in this bug (I was afraid it wouldn't get any interest since very few people use this very useful feature of OpenSSHd). Acouple of things I should point out:
1) Augustina identified the commit that broke things but missed a subsequent commit to the code:
which moves the upstream dependency from paramiko to cryptography
2) The issue of using a cert-authority in ssh_known_hosts to authenticate hosts to users is related (and indeed they should both be fixed by the upstream dependency) but I think the issue of using a cert-authority to authenticate users (via either ~/.ssh/authorized_keys of /etc/ssh/sshd_config TrustedUserCA option) is more important.
3) Another related case of the use of SSH_FORCE_COMMAND in the authorized_keys file. I'm not sure if anyone has ever tried this (indeed it probably makes more sense as cloud-init user data) but it might be useful to be able to set a pub key with a restricted shell in nova. For example this (take from /root/.ssh/authorized_keys)
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"debian\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgG1+9o2Bryv/1hPfRzzrZp7GmBx4NenAxNoG5koZGV/+1Y/UyeYKp8Ho7DKp2xHQbvJTLd2PcEo+mRgknnaSX/sLoxN099hMHM2T6K9shkGRLP8m+RGSTa5kWjwaDJ5rWwtH06Oj7e84sJh1Wv2IAPCmpK0PqkNcv2GFsALhVgcIW27zBb7o2Yg5yUahnpuwBcojocG172wGSsYQw7sAXPbS+W2ohtBwPeI9aL0ET3W5isKR6zcTuLmulvgMvD9qVKJGaAQMfZrlIKyDpHNUcWCOi9xk4oLBT3nAwMfzvSxMU73nNEX29L0M1eTB6ab4Lnn54rlHPOsO538TsPjt5 hines@tun
is acceptable to ssh-keygen -qlf but would fail with either paramiko or cyptography
Please let me know if there is anything I can help with or who I should submit merge requests to. I'm happy to generate test cases and fixes (just a little unsure on the appropriate procedure around here)
Hi Guys,
thanks for taking an interest in this bug (I was afraid it wouldn't get any interest since very few people use this very useful feature of OpenSSHd). Acouple of things I should point out:
1) Augustina identified the commit that broke things but missed a subsequent commit to the code:
http:// git.openstack. org/cgit/ openstack/ nova/commit/ ?id=452fe92787f f871417846748fc 13e2a6a2899325
which moves the upstream dependency from paramiko to cryptography
2) The issue of using a cert-authority in ssh_known_hosts to authenticate hosts to users is related (and indeed they should both be fixed by the upstream dependency) but I think the issue of using a cert-authority to authenticate users (via either ~/.ssh/ authorized_ keys of /etc/ssh/ sshd_config TrustedUserCA option) is more important.
3) Another related case of the use of SSH_FORCE_COMMAND in the authorized_keys file. I'm not sure if anyone has ever tried this (indeed it probably makes more sense as cloud-init user data) but it might be useful to be able to set a pub key with a restricted shell in nova. For example this (take from /root/. ssh/authorized_ keys)
no-port- forwarding, no-agent- forwarding, no-X11- forwarding, command= "echo 'Please login as the user \"debian\" rather than the user \"root\ ".';echo; sleep 10" ssh-rsa AAAAB3NzaC1yc2E AAAADAQABAAABAQ DgG1+9o2Bryv/ 1hPfRzzrZp7GmBx 4NenAxNoG5koZGV /+1Y/UyeYKp8Ho7 DKp2xHQbvJTLd2P cEo+mRgknnaSX/ sLoxN099hMHM2T6 K9shkGRLP8m+ RGSTa5kWjwaDJ5r WwtH06Oj7e84sJh 1Wv2IAPCmpK0Pqk Ncv2GFsALhVgcIW 27zBb7o2Yg5yUah npuwBcojocG172w GSsYQw7sAXPbS+ W2ohtBwPeI9aL0E T3W5isKR6zcTuLm ulvgMvD9qVKJGaA QMfZrlIKyDpHNUc WCOi9xk4oLBT3nA wMfzvSxMU73nNEX 29L0M1eTB6ab4Ln n54rlHPOsO538Ts Pjt5 hines@tun
is acceptable to ssh-keygen -qlf but would fail with either paramiko or cyptography
Please let me know if there is anything I can help with or who I should submit merge requests to. I'm happy to generate test cases and fixes (just a little unsure on the appropriate procedure around here)
Cheers,
--
Chris.