turnip

Add support for Ed25519 SSH keys

Bug #907675 reported by Pim Vullers
570
This bug affects 136 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Low
Colin Watson
lazr.sshserver
Fix Released
Low
Colin Watson
turnip
Fix Released
Low
Colin Watson
txpkgupload
Fix Released
Low
Colin Watson

Bug Description

When I wanted to add my ECDSA SSH2 key I got the message that the key was invalid. This is probably caused because those keys use a different key identifier structure than the RSA and DSA keys. Please improve the detection to also add support for the newest kind of SSH keys.

The key I tried to add:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBISztakMuof8TXWJMb9IpHdntowby/QVs6flRj7BiWwQQF5LNC0ByGHb53T2fWKYF8Jig4l70D3j4t1vJ6FZQ3g= pim@chaos

Tags: qa-ok

Related branches

lp:~cjwatson/lazr.sshserver/more-key-types
William Grant: Approve (code)
Diff: 187 lines (+61/-17)
3 files modified
src/lazr/sshserver/NEWS.txt (+8/-0)
src/lazr/sshserver/auth.py (+4/-0)
src/lazr/sshserver/tests/test_auth.py (+49/-17)
lp:~cjwatson/txpkgupload/lazr.sshserver-0.1.8
William Grant: Approve (code)
Diff: 12 lines (+1/-1)
1 file modified
requirements.txt (+1/-1)
lp:~cjwatson/launchpad/lazr.sshserver-0.1.8
William Grant: Approve (code)
Diff: 12 lines (+1/-1)
1 file modified
constraints.txt (+1/-1)
lp:~cjwatson/launchpad/ssh-ecdsa-keys
William Grant: Approve (code)
Diff: 449 lines (+152/-56)
7 files modified
lib/lp/registry/interfaces/ssh.py (+20/-10)
lib/lp/registry/model/person.py (+26/-7)
lib/lp/registry/scripts/listteammembers.py (+3/-8)
lib/lp/registry/stories/person/xx-add-sshkey.txt (+32/-5)
lib/lp/registry/templates/person-editsshkeys.pt (+2/-1)
lib/lp/registry/tests/test_ssh.py (+32/-4)
lib/lp/testing/factory.py (+37/-21)
lp:~cjwatson/launchpad/ed25519-unsupported-note
William Grant: Approve (code)
Diff: 12 lines (+2/-0)
1 file modified
lib/lp/registry/templates/person-editsshkeys.pt (+2/-0)
~andrey-fedoseev/turnip/+git/dependencies:update-twisted
Superseded for merging into turnip:master
Launchpad code reviewers: Pending requested
Diff: 780 lines (+0/-0)
0 files modified
~cjwatson/txpkgupload:Twisted-20.3.0+lp6
Jürgen Gmach: Approve
Diff: 13 lines (+1/-1)
1 file modified
requirements.txt (+1/-1)
~cjwatson/txpkgupload/+git/dependencies:Twisted-20.3.0+lp6
Jürgen Gmach: Approve
Diff: 4 lines (+0/-0)
0 files modified
~cjwatson/launchpad:ssh-ed25519
Ioana Lasc (community): Approve
Diff: 128 lines (+35/-9)
5 files modified
lib/lp/registry/interfaces/ssh.py (+9/-2)
lib/lp/registry/stories/person/xx-add-sshkey.txt (+14/-3)
lib/lp/registry/templates/person-editsshkeys.pt (+3/-4)
lib/lp/registry/tests/test_ssh.py (+7/-0)
lib/lp/testing/factory.py (+2/-0)
~cjwatson/txpkgupload:Twisted-20.3.0+lp5
Ioana Lasc (community): Approve
Diff: 53 lines (+6/-3)
2 files modified
requirements.txt (+5/-2)
setup.py (+1/-1)
~cjwatson/turnip:Twisted-20.3.0+lp5
Ioana Lasc (community): Approve
Diff: 50 lines (+6/-8)
2 files modified
requirements.txt (+5/-7)
setup.py (+1/-1)
~cjwatson/launchpad:Twisted-20.3.0+lp5
Ioana Lasc (community): Approve
Diff: 22 lines (+2/-2)
1 file modified
requirements/launchpad.txt (+2/-2)
~cjwatson/txpkgupload/+git/dependencies:Twisted-20.3.0+lp5
Ioana Lasc (community): Approve
Diff: 20 lines (+0/-0)
0 files modified
~cjwatson/turnip/+git/dependencies:Twisted-20.3.0+lp5
Ioana Lasc (community): Approve
Diff: 12 lines (+0/-0)
0 files modified
~cjwatson/lp-source-dependencies:Twisted-20.3.0+lp5
Ioana Lasc (community): Approve
Diff: 8 lines (+0/-0)
0 files modified
~cjwatson/twisted:conch-rsa-sha2-ed25519
Ioana Lasc (community): Approve
Diff: 3023 lines (+1672/-178)
23 files modified
docs/conch/examples/sshsimpleserver.py (+16/-9)
docs/installation/howto/optional.rst (+3/-0)
src/twisted/_version.py (+11/-5)
src/twisted/conch/newsfragments/10208.feature (+1/-0)
src/twisted/conch/newsfragments/10266.feature (+1/-0)
src/twisted/conch/newsfragments/8966.feature (+1/-0)
src/twisted/conch/newsfragments/9765.feature (+1/-0)
src/twisted/conch/scripts/ckeygen.py (+42/-4)
src/twisted/conch/ssh/_kex.py (+2/-1)
src/twisted/conch/ssh/_keys_pynacl.py (+196/-0)
src/twisted/conch/ssh/factory.py (+7/-1)
src/twisted/conch/ssh/keys.py (+218/-44)
src/twisted/conch/ssh/transport.py (+184/-35)
src/twisted/conch/ssh/userauth.py (+2/-2)
src/twisted/conch/test/keydata.py (+21/-0)
src/twisted/conch/test/test_ckeygen.py (+58/-7)
src/twisted/conch/test/test_keys.py (+506/-32)
src/twisted/conch/test/test_recvline.py (+1/-1)
src/twisted/conch/test/test_ssh.py (+36/-3)
src/twisted/conch/test/test_transport.py (+350/-28)
src/twisted/python/_setup.py (+6/-1)
src/twisted/python/test/test_setup.py (+4/-4)
tox.ini (+5/-1)
~cjwatson/turnip:lazr.sshserver-0.1.8
William Grant: Approve (code)
Diff: 13 lines (+1/-1)
1 file modified
requirements.txt (+1/-1)
Julian Edwards (julian-edwards)
Changed in launchpad:
status: New → Triaged
importance: Undecided → Low
William Grant (wgrant)
summary: - Add support for ECDSA SSH keys
+ Add support for ECDSA and Ed25519 SSH keys
Revision history for this message
Unit 193 (unit193) wrote : Re: Add support for ECDSA and Ed25519 SSH keys

This is currently blocked by https://twistedmatrix.com/trac/ticket/5350 which could be partially fixed by http://twistedmatrix.com/trac/ticket/7413, except Ed25519 which would still need https://github.com/pyca/cryptography/issues/856.

http://twistedmatrix.com/trac/ticket/7693 would also be needed for the pyCA support.

Colin Watson (cjwatson)
information type: Public → Public Security
Revision history for this message
Damien Cassou (cassou) wrote :

There has been update on http://twistedmatrix.com/trac/ticket/7413. Please update launchpad to take into account ecdsa keys. And it would be nice to also support Ed25519. Thanks

Revision history for this message
Colin Watson (cjwatson) wrote :

Don't get too excited. The movement on Twisted #7413 is a necessary prerequisite, but Twisted Conch still doesn't actually have concrete support for ECDSA keys, and Ed25519 is complicated further by the linked cryptography issue.

Revision history for this message
Sami Olmari (olmari) wrote :

ED25519 key I'd like to use too, so I'm just making noise here :)

Revision history for this message
Bert JW Regeer (bregeer-ctl) wrote :

OpenSSH on OS X sends ed25519 before rsa, this causes an hang until timeout:

https://bugs.launchpad.net/turnip/+bug/1621238

Revision history for this message
Unit 193 (unit193) wrote :

http://twistedmatrix.com/trac/ticket/8798 is progress towards both keys, and looks like ECDSA got support with http://twistedmatrix.com/trac/ticket/8828, now just Ed25519 is in https://twistedmatrix.com/trac/ticket/8966 (Though, http://twistedmatrix.com/trac/ticket/8854 might hold things up a tad.)

Still, there's progress and that's good.

Revision history for this message
lszyba1 (szybalski) wrote :

Hello,
Could somebody that is handling this ticket change the importance to major.
I'm unable to use launchpad without that key support.
My work requires it:
.ssh/id_ed25519.pub

I was hoping to convert some of the my bzr repo to git, and start using launchpad again and test drive the new git repo features in launchpad.

Please let me know who do I need to contact to get this enabled?
Thank you
Lucas

Revision history for this message
Colin Watson (cjwatson) wrote :

There's not much point arguing about the formal Importance of this bug. The reality is that we have the following chain of dependencies before we can fix this:

 1) upgrade Launchpad production to xenial (in progress)
 2) convert Launchpad build system to pip, so that we're no longer blocked on upgrading Twisted by conflicts between zc.buildout and pbr
 3) wait for a version of Twisted to be released that supports ED25519 keys
 4) upgrade to that version of Twisted

We already consider 1) and 2) to be high-priority, but 3) is out of our hands for the time being. Debating the value of the Importance field isn't going to speed anything up.

Revision history for this message
Colin Watson (cjwatson) wrote :

Update: we finished upgrading Launchpad production to xenial earlier this year; I just landed the conversion of our build system to pip; and I have a branch in progress to upgrade us to Twisted 16.5.0.

The upstream Twisted work doesn't seem to have finished yet, so we may be near the point where we've done everything we can for the time being. Versions of Twisted newer than 16.5.0 remove gmpy integration, so we'll need to take some care to avoid regressing performance on new connections, but that's doable.

Colin Watson (cjwatson)
Changed in lazr.sshserver:
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Colin Watson (cjwatson)
Changed in turnip:
status: New → Triaged
importance: Undecided → Low
Changed in txpkgupload:
status: New → Triaged
importance: Undecided → Low
Revision history for this message
Colin Watson (cjwatson) wrote :

lazr.sshserver 0.1.8 adds the baseline SSH authentication support that we need.

Changed in lazr.sshserver:
status: In Progress → Fix Released
Colin Watson (cjwatson)
Changed in turnip:
status: Triaged → In Progress
assignee: nobody → Colin Watson (cjwatson)
Changed in txpkgupload:
status: Triaged → In Progress
assignee: nobody → Colin Watson (cjwatson)
Changed in launchpad:
status: Triaged → In Progress
assignee: nobody → Colin Watson (cjwatson)
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18714 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18714) is part of this bug's fix.

tags: added: qa-needstesting
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Colin Watson (cjwatson) wrote :

turnip (git.launchpad.net) and txpkgupload (upload.ubuntu.com and ppa.launchpad.net) now have the necessary support for ECDSA, although this won't be effective until my next Launchpad branch is deployed. Both will need further upgrades once Twisted supports Ed25519.

Changed in turnip:
status: In Progress → Triaged
Changed in txpkgupload:
status: In Progress → Triaged
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18721 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18721) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Colin Watson (cjwatson) wrote :

Launchpad now supports ECDSA keys. Note also that the problem where merely sending unsupported key types to Launchpad used to cause an authentication hang, as mentioned in comment #5, has been fixed for a while (see bug 830679).

I don't plan to advocate particularly strongly for people to use ECDSA keys with Launchpad by default, as there are some theoretical concerns about ECDSA (the origins of the particular chosen curves are murky and some people find that suspicious, and it shares the same weakness in the face of poor random number generators that DSA has; on the other hand, it allows effectively-much-better key lengths). Those concerns aren't enough to refuse support as long as OpenSSH thinks it appropriate to support them, but at the moment I would still recommend RSA out of the set of public key algorithms we offer.

Ed25519 is still blocked on having support for it in Twisted, but Launchpad is now essentially current on Twisted releases so it should be very easy for us to add support once that blocker is resolved. Once that happens, I would be very happy to advocate for the use of Ed25519 with Launchpad.

Changed in launchpad:
status: In Progress → Triaged
Revision history for this message
Ondřej Surý (ondrej) wrote :

Thank you.

> and it shares the same weakness in the face of poor random number generators that DSA has

Depends, see RFC 6979.

> Ed25519 is still blocked on having support for it in Twisted.

Is this related to using Ed25519 OpenPGP keys? Or is it a separate issue?

Revision history for this message
Colin Watson (cjwatson) wrote :

> Depends, see RFC 6979.

That's a fair point. OpenSSL 1.1 implements a variant of this which essentially hashes together some random data with the private key and the message, so it's non-deterministic but should still avoid the classic attack on (EC)DSA when the RNG is weak. And, of course, PuTTY implemented something similar for its DSA implementation way back in 2001, and carried that over to ECDSA as well, so PuTTY users should be safe.

Unfortunately, OpenSSL 1.0 *doesn't* implement this strengthening of how the k parameter in (EC)DSA is generated, and OpenSSL 1.1 was a major API change that OpenSSH hasn't yet adapted to (although there has been some gradual progress on that front, and some people have applied a patch against upstream's advice; if you follow debian-devel then you've probably seen me debating what to do about that). So that still leaves a lot of clients vulnerable to this attack in practice, if their random number generator happens to be weak.

> Is this related to using Ed25519 OpenPGP keys? Or is it a separate issue?

That's separate; comment #6 has the details. The problem with Ed25519 OpenPGP keys is that they require GnuPG 2, and getting that to work in non-interactive contexts is a real pain due to the way it likes to spawn opportunistic daemon processes. I did try to get Launchpad's test suite to work with it when we were upgrading to run on Ubuntu 16.04 a while back, but I ended up giving up and forcing GnuPG 1 for now. If you need this, then it'd be a good idea to file a separate bug so that we remember that we need to work on it.

Revision history for this message
Ondřej Surý (ondrej) wrote :

> OpenSSL 1.1 implements a variant of this

Yeah, it's a shame that RFC 6979 implementation didn't get into OpenSSL 1.1.x yet - I was looking at it the other day while refactoring BIND 9's crypto and I wanted to get rid of random calls in (EC)DSA algorithms. (GnuTLS has already implemented this.)

> If you need this

Nah, I was just curious :). Thanks for the answers.

Revision history for this message
Kain (kain-kain) wrote :

If this isn't expected to progress this year even, you could at least add documentation and reference to the UI for SSH key management.

Revision history for this message
Colin Watson (cjwatson) wrote :

What documentation are you looking for? It does specify which key types are permitted.

I think there's some hope of progress though. I've been working on a prerequisite for this in Twisted (https://github.com/twisted/twisted/pull/1053), and once that lands I think I might pick up the stalled Ed25519 issue.

Revision history for this message
Kain (kain-kain) wrote :

Calling out such a limitation directly on https://launchpad.net/%7Euser/+editsshkeys I think would be the easiest. Otherwise, theres no indicator that now-common keytypes may not be allowed.

Colin Watson (cjwatson)
summary: - Add support for ECDSA and Ed25519 SSH keys
+ Add support for Ed25519 SSH keys
Revision history for this message
Colin Watson (cjwatson) wrote :

I guess there might be some justification for that. I'm pushing a branch for review now.

Revision history for this message
James McCoy (jamessan) wrote :

I see the ECDSA part was removed from the subject, but last I tried (~2 weeks ago) a 521 bit ecdsa key didn't work.

Revision history for this message
Colin Watson (cjwatson) wrote :

@jamessan, please could you file a separate bug explaining what happened?

Revision history for this message
James McCoy (jamessan) wrote :

@cjwatson, see https://bugs.launchpad.net/launchpad/+bug/1802642

Revision history for this message
Colin Watson (cjwatson) wrote :

(The ECDSA problem was specific to bazaar.launchpad.net, and is fixed now; more details in the log of the bug @jamessan filed.)

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18822 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18822) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Changed in launchpad:
status: Triaged → In Progress
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
dkg (dkg0) wrote :

thanks for the work, @cjwatson. what will it take to get ed25519 available on launchpad.net?

Revision history for this message
Colin Watson (cjwatson) wrote :

@dkg0 We need to fix https://twistedmatrix.com/trac/ticket/8966. I think it ought to be done in a few more pieces than the current (partial and now stale) PR for it though; first we need to add support for writing the openssh-key-v1 private key format (I added support for reading it a few months back), and then Ed25519 on top of that.

There's also https://github.com/pyca/cryptography/issues/3509. But realistically we aren't going to have a sufficient version of OpenSSL on Launchpad production systems for quite a while (the bug-fixed version that cryptography needs hasn't even been released yet; I'm not comfortable with running a version of OpenSSL not receiving Ubuntu security support on Launchpad production; and we're currently on 16.04, but even 18.04 doesn't have 1.1.1). I think in practice that means that we'll need to ensure that Twisted has a fallback to some other mechanism, perhaps something based on PyNaCl. I haven't fully worked out the details of that yet.

Airkm (airkm)
information type: Public Security → Private
William Grant (wgrant)
information type: Private → Public
Revision history for this message
Colin Watson (cjwatson) wrote :

It's been a while and there's been some progress, so here's an update:

 * cryptography 2.6 has been released with X25519 and Ed25519 support.
 * Ubuntu 18.04 has been updated to OpenSSL 1.1.1.
 * I've pushed PRs to Twisted (https://twistedmatrix.com/trac/ticket/9681 and https://twistedmatrix.com/trac/ticket/9682) to begin the process of being able to write OpenSSH's newish (v1) private key format, which is the only format OpenSSH supports for Ed25519 keys; while this isn't strictly needed in order to support Ed25519 as a server, doing this first makes the patch series much more manageable.

Still to do:

 * Finish support for writing OpenSSH v1 private keys (https://twistedmatrix.com/trac/ticket/9683).
 * Add curve25519-sha256 key exchange support to Twisted. (I have a tested branch for this, waiting on the items above.)
 * Add Ed25519 key support to Twisted. (I have a tested branch for this, waiting on the items above.)
 * Either:
  * Upgrade Ubuntu 18.04 to OpenSSL 1.1.1b or newer (1.1.1 had a signature verification bug: https://github.com/openssl/openssl/issues/7693), and upgrade the relevant Launchpad production systems from Ubuntu 16.04 to 18.04, which may be tractable; or:
  * Add a fallback mechanism to Twisted allowing it to support Ed25519 keys using PyNaCl or similar if a sufficient version of OpenSSL isn't installed.
 * Wait for a Twisted release with all this in it, and upgrade Launchpad to it. We're on a relatively recent version at the moment, so this part should be easy enough.

elhadji (elhadji-ndoye)
Changed in launchpad:
assignee: Colin Watson (cjwatson) → elhadji (elhadji-ndoye)
Changed in txpkgupload:
assignee: Colin Watson (cjwatson) → elhadji (elhadji-ndoye)
Changed in turnip:
assignee: Colin Watson (cjwatson) → elhadji (elhadji-ndoye)
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → elhadji (elhadji-ndoye)
Colin Watson (cjwatson)
Changed in launchpad:
assignee: elhadji (elhadji-ndoye) → Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: elhadji (elhadji-ndoye) → Colin Watson (cjwatson)
Changed in turnip:
assignee: elhadji (elhadji-ndoye) → Colin Watson (cjwatson)
Changed in txpkgupload:
assignee: elhadji (elhadji-ndoye) → Colin Watson (cjwatson)
Revision history for this message
Christian Reis (kiko) wrote :

Colin, it looks like the Twisted PRs you listed in comment #29 are all fixed, which is great. Did your additional (key and key exchange) PRs get reviewed?

Revision history for this message
Colin Watson (cjwatson) wrote :

The current blocker is https://github.com/twisted/twisted/pull/1202, which has had one review but isn't yet landed. Once that happens I'll push my branch for the actual Ed25519 key type, which is otherwise ready to go.

That still leaves the deployment issues I mentioned. IIRC from the last time I asked distro folks about this, upgrading Ubuntu 18.04 to OpenSSL 1.1.1b wasn't likely to be viable, as the changes were rather more invasive than the version difference suggests; so we probably are going to need some form of PyNaCl-based fallback code regardless. I haven't started on this yet.

Revision history for this message
Colin Watson (cjwatson) wrote :

https://github.com/twisted/twisted/pull/1202 has landed, so I've pushed https://github.com/twisted/twisted/pull/1210 for the next stage of review.

Revision history for this message
Viorel-Cosmin Miron (uhl-hosting) wrote :

2011 .

Revision history for this message
Christian Reis (kiko) wrote :

Looks like the patch in merge 1210 is failing tests on Windows. If you need any help with that let me know.

Colin, could you use a backport (or PPA-hosted) libssl 1.1.1b or is there more to it?

Revision history for this message
Colin Watson (cjwatson) wrote :

The Windows failures were an unrelated problem (https://twistedmatrix.com/trac/ticket/9760), now fixed or at least worked around.

We *could* use a backport of OpenSSL, but I'm extremely reluctant to do so for Launchpad production since that would mean tracking security updates ourselves, with OpenSSL being something that frequently gets security updates. I'm working on a PyNaCl-based approach instead.

Revision history for this message
Ole-Martin Bratteng (ombratteng) wrote :

Also doesn't support the new sk-ecdsa and sk-ed25519 keys

Revision history for this message
Colin Watson (cjwatson) wrote :

@ombratteng Indeed, and I agree we should do that. However, it's cumbersome for this bug to keep drifting every time somebody invents a new SSH key type (note that the original bug report only mentioned ECDSA). Please could you file a new bug report about this?

ABDULLAH (l7kx)
Changed in launchpad:
status: In Progress → New
status: New → Incomplete
status: Incomplete → Opinion
status: Opinion → Invalid
Changed in turnip:
status: Triaged → Incomplete
Changed in txpkgupload:
status: Triaged → Confirmed
Changed in turnip:
status: Incomplete → Confirmed
Changed in txpkgupload:
status: Confirmed → In Progress
Changed in turnip:
status: Confirmed → Incomplete
Changed in launchpad:
status: Invalid → Confirmed
William Grant (wgrant)
Changed in turnip:
status: Incomplete → Triaged
Changed in txpkgupload:
status: In Progress → Triaged
Changed in launchpad:
status: Confirmed → In Progress
mohmad (mjoiygg)
Changed in turnip:
status: Triaged → Fix Released
Colin Watson (cjwatson)
Changed in turnip:
status: Fix Released → Triaged
Aleksandar (parametzium1)
Changed in txpkgupload:
status: Triaged → Incomplete
status: Incomplete → Confirmed
Changed in turnip:
status: Triaged → Confirmed
Changed in launchpad:
status: In Progress → Fix Released
Colin Watson (cjwatson)
Changed in txpkgupload:
status: Confirmed → Triaged
Changed in turnip:
status: Confirmed → Triaged
Changed in launchpad:
status: Fix Released → Triaged
myiscyy (myiscyy)
Changed in launchpad:
assignee: Colin Watson (cjwatson) → nobody
Colin Watson (cjwatson)
Changed in launchpad:
assignee: nobody → Colin Watson (cjwatson)
kevin mccrite (uniquelight)
affects: launchpad → ubuntu
Changed in ubuntu:
status: Triaged → Confirmed
status: Confirmed → Incomplete
assignee: Colin Watson (cjwatson) → kevin mccrite (uniquelight)
status: Incomplete → Fix Committed
Colin Watson (cjwatson)
affects: ubuntu → launchpad
Changed in launchpad:
assignee: kevin mccrite (uniquelight) → Colin Watson (cjwatson)
status: Fix Committed → Triaged
Kenneth l Aduddell (kla777)
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → Kenneth l Aduddell (kla777)
Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: Kenneth l Aduddell (kla777) → Colin Watson (cjwatson)
Ivan (maliprinc)
affects: turnip → ubuntu
Colin Watson (cjwatson)
affects: ubuntu → turnip
John (daddy79996)
Changed in launchpad:
assignee: Colin Watson (cjwatson) → John (daddy79996)
Changed in txpkgupload:
assignee: Colin Watson (cjwatson) → John (daddy79996)
Colin Watson (cjwatson)
Changed in launchpad:
assignee: John (daddy79996) → Colin Watson (cjwatson)
Changed in txpkgupload:
assignee: John (daddy79996) → Colin Watson (cjwatson)
Donya Hacher (2nyahack)
Changed in launchpad:
assignee: Colin Watson (cjwatson) → Donya Hacher (2nyahack)
status: Triaged → Fix Released
affects: turnip → launchpad-hacks
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → nobody
assignee: nobody → Donya Hacher (2nyahack)
Colin Watson (cjwatson)
affects: launchpad-hacks → turnip
Changed in launchpad:
assignee: Donya Hacher (2nyahack) → Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: Donya Hacher (2nyahack) → Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Released → Triaged
Mitchelle Young (mitchelleyoung77)
Changed in launchpad:
status: Triaged → Confirmed
status: Confirmed → Fix Released
Changed in turnip:
status: Triaged → Fix Released
Changed in txpkgupload:
status: Triaged → Fix Released
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Released → Triaged
Changed in turnip:
status: Fix Released → Triaged
Changed in txpkgupload:
status: Fix Released → Triaged
Gregory Manore (gmanore)
information type: Public → Public Security
Gregory Manore (gmanore)
information type: Public Security → Private Security
information type: Private Security → Public
Gregory Manore (gmanore)
information type: Public → Public Security
information type: Public Security → Public
Milan Garcia (koboldianer)
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → Milan Garcia (koboldianer)
Changed in txpkgupload:
assignee: Colin Watson (cjwatson) → nobody
Changed in turnip:
assignee: Colin Watson (cjwatson) → Milan Garcia (koboldianer)
status: Triaged → Confirmed
status: Confirmed → Incomplete
status: Incomplete → New
Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: Milan Garcia (koboldianer) → Colin Watson (cjwatson)
Changed in turnip:
assignee: Milan Garcia (koboldianer) → Colin Watson (cjwatson)
Changed in txpkgupload:
assignee: nobody → Colin Watson (cjwatson)
Changed in turnip:
status: New → Triaged
John (daddy79996)
Changed in turnip:
assignee: Colin Watson (cjwatson) → nobody
status: Triaged → Invalid
Changed in txpkgupload:
assignee: Colin Watson (cjwatson) → nobody
status: Triaged → Invalid
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → John (daddy79996)
Changed in launchpad:
assignee: Colin Watson (cjwatson) → John (daddy79996)
status: Triaged → Confirmed
John (daddy79996)
Changed in launchpad:
status: Confirmed → Invalid
Colin Watson (cjwatson)
Changed in launchpad:
assignee: John (daddy79996) → Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: John (daddy79996) → Colin Watson (cjwatson)
Changed in turnip:
assignee: nobody → Colin Watson (cjwatson)
Changed in txpkgupload:
assignee: nobody → Colin Watson (cjwatson)
Changed in turnip:
status: Invalid → Triaged
Changed in txpkgupload:
status: Invalid → Triaged
Changed in launchpad:
status: Invalid → Triaged
qjone (qjone79)
Changed in launchpad:
status: Triaged → Fix Committed
Changed in turnip:
status: Triaged → Fix Released
Changed in txpkgupload:
status: Triaged → Fix Committed
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → Triaged
Changed in turnip:
status: Fix Released → Triaged
Changed in txpkgupload:
status: Fix Committed → Triaged
Donya Hacher (2nyahack)
Changed in launchpad:
assignee: Colin Watson (cjwatson) → nobody
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → nobody
Changed in turnip:
assignee: Colin Watson (cjwatson) → nobody
Changed in txpkgupload:
assignee: Colin Watson (cjwatson) → nobody
information type: Public → Private Security
information type: Private Security → Private
Colin Watson (cjwatson)
information type: Private → Public
Changed in launchpad:
assignee: nobody → Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: nobody → Colin Watson (cjwatson)
Changed in turnip:
assignee: nobody → Colin Watson (cjwatson)
Changed in txpkgupload:
assignee: nobody → Colin Watson (cjwatson)
Colin Watson (cjwatson)
no longer affects: ubuntu
Colin Watson (cjwatson)
no longer affects: ubuntu
haker loooo (hakeroblivion)
Changed in launchpad:
assignee: Colin Watson (cjwatson) → haker loooo (hakeroblivion)
Colin Watson (cjwatson)
Changed in launchpad:
assignee: haker loooo (hakeroblivion) → Colin Watson (cjwatson)
francismar luiz targino (francismarnew)
Changed in turnip:
status: Triaged → Incomplete
Changed in launchpad:
status: Triaged → Incomplete
Colin Watson (cjwatson)
Changed in launchpad:
status: Incomplete → Triaged
Changed in turnip:
status: Incomplete → Triaged
Dana Tschirch (danatsc)
Changed in launchpad:
status: Triaged → Confirmed
Colin Watson (cjwatson)
Changed in launchpad:
status: Confirmed → Triaged
Manuel de Jesus Bernal Martinez (mbernal-negocios)
Changed in launchpad:
status: Triaged → New
Colin Watson (cjwatson)
Changed in launchpad:
status: New → Triaged
Am1401Am (abomatr1401)
information type: Public → Public Security
information type: Public Security → Public
information type: Public → Private Security
information type: Private Security → Private
Colin Watson (cjwatson)
information type: Private → Public
Stewart J Solomon (highaboveus2)
Changed in launchpad:
status: Triaged → New
Colin Watson (cjwatson)
Changed in launchpad:
status: New → Triaged
natnoey3za (natnoey3)
Changed in launchpad:
status: Triaged → Confirmed
Colin Watson (cjwatson)
Changed in launchpad:
status: Confirmed → Triaged
jesse salamanca (thailandthailand)
affects: lazr.sshserver → ubuntu
Changed in ubuntu:
assignee: Colin Watson (cjwatson) → jesse salamanca (thailandthailand)
assignee: jesse salamanca (thailandthailand) → nobody
Colin Watson (cjwatson)
affects: ubuntu → lazr.sshserver
Changed in lazr.sshserver:
assignee: nobody → Colin Watson (cjwatson)
naif (naii7070)
no longer affects: nuro
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → naif (naii7070)
Changed in turnip:
assignee: Colin Watson (cjwatson) → naif (naii7070)
Changed in txpkgupload:
assignee: Colin Watson (cjwatson) → naif (naii7070)
Changed in launchpad:
assignee: Colin Watson (cjwatson) → naif (naii7070)
Colin Watson (cjwatson)
Changed in launchpad:
assignee: naif (naii7070) → Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: naif (naii7070) → Colin Watson (cjwatson)
Changed in txpkgupload:
assignee: naif (naii7070) → Colin Watson (cjwatson)
Changed in turnip:
assignee: naif (naii7070) → Colin Watson (cjwatson)
yongyuth chuenwanichakool (chox1111)
Changed in launchpad:
assignee: Colin Watson (cjwatson) → yongyuth chuenwanichakool (chox1111)
assignee: yongyuth chuenwanichakool (chox1111) → nobody
status: Triaged → In Progress
status: In Progress → Incomplete
assignee: nobody → yongyuth chuenwanichakool (chox1111)
Colin Watson (cjwatson)
Changed in launchpad:
assignee: yongyuth chuenwanichakool (chox1111) → Colin Watson (cjwatson)
status: Incomplete → Triaged
ZhangYi (flowers31)
Changed in launchpad:
assignee: Colin Watson (cjwatson) → ZhangYi (flowers31)
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → ZhangYi (flowers31)
Changed in turnip:
assignee: Colin Watson (cjwatson) → ZhangYi (flowers31)
Changed in txpkgupload:
assignee: Colin Watson (cjwatson) → ZhangYi (flowers31)
Changed in launchpad:
status: Triaged → New
Colin Watson (cjwatson)
Changed in launchpad:
assignee: ZhangYi (flowers31) → Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: ZhangYi (flowers31) → Colin Watson (cjwatson)
Changed in turnip:
assignee: ZhangYi (flowers31) → Colin Watson (cjwatson)
Changed in txpkgupload:
assignee: ZhangYi (flowers31) → Colin Watson (cjwatson)
Changed in launchpad:
status: New → Triaged
ZhangYi (flowers31)
Changed in launchpad:
status: Triaged → Fix Committed
information type: Public → Public Security
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → Triaged
information type: Public Security → Public
Muhammad ariesta (anezdoank84)
Changed in launchpad:
status: Triaged → Confirmed
affects: launchpad → hello-github
Colin Watson (cjwatson)
affects: hello-github → launchpad
Changed in launchpad:
status: Confirmed → Triaged
sirko (kuhne)
Changed in launchpad:
status: Triaged → New
Colin Watson (cjwatson)
Changed in launchpad:
status: New → Triaged
fathorpro (fathorpro)
Changed in launchpad:
status: Triaged → New
Changed in turnip:
status: Triaged → Incomplete
status: Incomplete → Opinion
status: Opinion → Fix Committed
Changed in txpkgupload:
status: Triaged → Fix Released
Changed in launchpad:
assignee: Colin Watson (cjwatson) → fathorpro (fathorpro)
Colin Watson (cjwatson)
Changed in launchpad:
status: New → Triaged
assignee: fathorpro (fathorpro) → Colin Watson (cjwatson)
Changed in turnip:
status: Fix Committed → Triaged
Changed in txpkgupload:
status: Fix Released → Triaged
shahab noorikhah (shnoori221)
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → nobody
assignee: nobody → shahab noorikhah (shnoori221)
Changed in launchpad:
status: Triaged → Incomplete
Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: shahab noorikhah (shnoori221) → Colin Watson (cjwatson)
Changed in launchpad:
status: Incomplete → Triaged
sirko (kuhne)
Changed in launchpad:
status: Triaged → Confirmed
Colin Watson (cjwatson)
Changed in launchpad:
status: Confirmed → Triaged
Pham Nhat Hoang (phamnhathoang)
Changed in launchpad:
status: Triaged → Confirmed
Colin Watson (cjwatson)
Changed in launchpad:
status: Confirmed → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu:
status: New → Confirmed
Colin Watson (cjwatson)
no longer affects: ubuntu
satheesh (satheesh-ele)
Changed in launchpad:
status: Triaged → New
Colin Watson (cjwatson)
Changed in launchpad:
status: New → Triaged
Theo1311 (elmahira)
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → Theo1311 (elmahira)
Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: Theo1311 (elmahira) → Colin Watson (cjwatson)
MATAR (mataralanazii)
Changed in launchpad:
status: Triaged → Incomplete
Changed in turnip:
status: Triaged → Confirmed
Changed in txpkgupload:
status: Triaged → New
Changed in turnip:
status: Confirmed → Fix Released
Colin Watson (cjwatson)
Changed in launchpad:
status: Incomplete → Triaged
Changed in turnip:
status: Fix Released → Triaged
Changed in txpkgupload:
status: New → Triaged
christopher wayne hess (hess8519)
information type: Public → Private Security
Colin Watson (cjwatson)
information type: Private Security → Public
Jim Kombotis (sirsirjim)
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → Jim Kombotis (sirsirjim)
Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: Jim Kombotis (sirsirjim) → Colin Watson (cjwatson)
Masoud shokohi (mass59)
Changed in turnip:
status: Triaged → Fix Committed
status: Fix Committed → Confirmed
Changed in launchpad:
status: Triaged → Fix Released
Changed in ubuntu:
status: New → Fix Released
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Released → Triaged
Changed in turnip:
status: Confirmed → Triaged
no longer affects: ubuntu
kangkyeongmin (lg0304)
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → kangkyeongmin (lg0304)
Changed in launchpad:
status: Triaged → Fix Released
Changed in turnip:
status: Triaged → Fix Released
Changed in txpkgupload:
status: Triaged → Fix Released
Changed in turnip:
assignee: Colin Watson (cjwatson) → kangkyeongmin (lg0304)
Changed in txpkgupload:
assignee: Colin Watson (cjwatson) → kangkyeongmin (lg0304)
Changed in launchpad:
assignee: Colin Watson (cjwatson) → kangkyeongmin (lg0304)
Colin Watson (cjwatson)
Changed in launchpad:
assignee: kangkyeongmin (lg0304) → Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: kangkyeongmin (lg0304) → Colin Watson (cjwatson)
Changed in turnip:
assignee: kangkyeongmin (lg0304) → Colin Watson (cjwatson)
Changed in txpkgupload:
assignee: kangkyeongmin (lg0304) → Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Released → Triaged
Changed in turnip:
status: Fix Released → Triaged
Changed in txpkgupload:
status: Fix Released → Triaged
ak (0xr53)
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → ak (0xr53)
Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: ak (0xr53) → Colin Watson (cjwatson)
Роман Мизиченко (roru78)
Changed in turnip:
status: Triaged → Confirmed
guanlonghuang (jace833)
Changed in launchpad:
assignee: Colin Watson (cjwatson) → guanlonghuang (jace833)
Colin Watson (cjwatson)
Changed in turnip:
status: Confirmed → Triaged
Changed in launchpad:
assignee: guanlonghuang (jace833) → Colin Watson (cjwatson)
Colin Watson (cjwatson)
no longer affects: ubuntu
Блинов Андрей Сергеевич (box66601)
affects: lazr.sshserver → ubuntu
Colin Watson (cjwatson)
affects: ubuntu → lazr.sshserver
Warrior DD (soldierubunt88)
Changed in launchpad:
status: Triaged → New
Colin Watson (cjwatson)
Changed in launchpad:
status: New → Triaged
amr7844 (amr7844)
Changed in launchpad:
assignee: Colin Watson (cjwatson) → amr7844 (amr7844)
Colin Watson (cjwatson)
Changed in launchpad:
assignee: amr7844 (amr7844) → Colin Watson (cjwatson)
Revision history for this message
Bartosz Woronicz (mastier1) wrote :

@Colin could you tell me what is the current status ?
Is there any help, testing required ?

Revision history for this message
Colin Watson (cjwatson) wrote :

Comments 29-35 sort of explain it, but it's a bit buried in the bug metadata spam. At this point I'm assuming that upgrading Ubuntu 18.04 to OpenSSL 1.1.1b or newer isn't viable or it would have been done already. Therefore, what we currently need is to add a fallback mechanism to Twisted allowing it to support Ed25519 keys using PyNaCl or similar if a sufficient version of OpenSSL isn't installed. I started on this a while back but haven't finished it yet.

Revision history for this message
Colin Watson (cjwatson) wrote :

I've proposed https://github.com/twisted/twisted/pull/1607, which should help move things along. We'll still probably have to upgrade the relevant Launchpad systems to 18.04 as well, since even 16.04's Python 3 is a little too old to support the latest released version of Twisted properly.

Wawa Wewev (wavawewev)
Changed in turnip:
assignee: Colin Watson (cjwatson) → nobody
status: Triaged → New
status: New → Fix Released
Colin Watson (cjwatson)
Changed in turnip:
status: Fix Released → Triaged
assignee: nobody → Colin Watson (cjwatson)
Anna Widajewicz (anna123456)
information type: Public → Private
Colin Watson (cjwatson)
information type: Private → Public
christian oppong (chris5644)
affects: lazr.sshserver → ubuntu
Changed in ubuntu:
assignee: Colin Watson (cjwatson) → christian oppong (chris5644)
Colin Watson (cjwatson)
affects: ubuntu → lazr.sshserver
Changed in lazr.sshserver:
assignee: christian oppong (chris5644) → Colin Watson (cjwatson)
lesego (mampie)
Changed in launchpad:
status: Triaged → Confirmed
Changed in turnip:
status: Triaged → Confirmed
Changed in txpkgupload:
status: Triaged → Confirmed
Colin Watson (cjwatson)
Changed in launchpad:
status: Confirmed → Triaged
Changed in turnip:
status: Confirmed → Triaged
Changed in txpkgupload:
status: Confirmed → Triaged
Роман Мизиченко (roru78)
Changed in launchpad:
status: Triaged → New
Colin Watson (cjwatson)
Changed in launchpad:
status: New → Triaged
Revision history for this message
mahmoh (mahmoh) wrote :

Hi Colin,

We're approaching the ten year anniversary of this bug ... to celebrate could you allow import of ed25519 keys with a WARNING that they are UNSUPPORTED for Launchpad vs. the Invalid message and dropped?

This would allow them to be referenced and used externally to launchpad and someday hopefully supported easily once all the dependencies are fixed in another ten years? ;)

Much appreciated.

baity ali (baity)
affects: txpkgupload → ubuntu
Colin Watson (cjwatson)
affects: ubuntu → txpkgupload
maciek12131 (maciek1213111)
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → maciek12131 (maciek1213111)
Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: maciek12131 (maciek1213111) → Colin Watson (cjwatson)
Masoud (shoniz)
Changed in launchpad:
status: Triaged → New
Changed in turnip:
status: Triaged → New
Changed in txpkgupload:
status: Triaged → New
Colin Watson (cjwatson)
Changed in launchpad:
status: New → Triaged
Changed in turnip:
status: New → Triaged
Changed in txpkgupload:
status: New → Triaged
Charles Cherry (cherry1989)
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → Charles Cherry (cherry1989)
Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: Charles Cherry (cherry1989) → Colin Watson (cjwatson)
Muhammadali (ali7373)
information type: Public → Public Security
information type: Public Security → Private
Colin Watson (cjwatson)
information type: Private → Public
D1Homz (d1omz)
Changed in launchpad:
status: Triaged → Confirmed
Changed in turnip:
status: Triaged → Incomplete
status: Incomplete → Fix Committed
Changed in launchpad:
status: Confirmed → Fix Committed
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → Triaged
Changed in turnip:
status: Fix Committed → Triaged
Sandi (sandi1688)
information type: Public → Private
Colin Watson (cjwatson)
information type: Private → Public
Revision history for this message
Paride Legovini (paride) wrote :

As new keys types are being added, it would be great to also have support for ecdsa-sk and ed25519-sk to get support FIDO/U2F hardware authenticators [1].

[1] https://www.openssh.com/txt/release-8.2

Revision history for this message
Colin Watson (cjwatson) wrote :

@paride That really needs to be a separate bug - each of these involves specific work in Twisted to get it working, and this is a big enough job as it is!

Nopharat Mini (nopharataudsat)
Changed in lazr.sshserver:
assignee: Colin Watson (cjwatson) → Nopharat Mini (nopharataudsat)
Changed in launchpad:
status: Triaged → Fix Released
Changed in turnip:
status: Triaged → Fix Released
Changed in txpkgupload:
status: Triaged → Fix Released
Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: Nopharat Mini (nopharataudsat) → Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Released → Triaged
Changed in txpkgupload:
status: Fix Released → Triaged
Changed in turnip:
status: Fix Released → Triaged
Colin Watson (cjwatson)
lock status: Metadata changes locked (metadata vandalism) and limited to project staff
Revision history for this message
Colin Watson (cjwatson) wrote :

It's been a while since my last status update, mainly because I got a bit stalled on sorting out mypy type-checking for the PyNaCl fallback code. I came back to it this weekend, solved the problem I'd been stuck on, and finally made some decent progress:

 * updated https://github.com/twisted/twisted/pull/1607 to address review comments, simplifying the fallback code a fair bit in the process
 * wrote a similar fallback for curve25519 key exchange, which might not be worth sending upstream since it's only needed for even older OpenSSL versions than the ones that need the Ed25519 fallback
 * attempted to upgrade our Twisted backport to 21.2.0 to simplify the patch stack, only to discover that that won't work on 16.04's Python 3.5 due to relying on enhancements to the typing module that were added in later 3.5 patch releases
 * resigned myself to backporting all this to Twisted 20.3.0, prepared a draft branch for that (also including https://github.com/twisted/twisted/pull/1692, for https://answers.launchpad.net/launchpad/+question/700482), and got its tests passing on 16.04
 * prepared a lazr.sshserver branch with minor changes needed for RSA SHA-2 signature support
 * prepared a Launchpad branch to add an Ed25519 key type and accept uploads of Ed25519 public keys
 * successfully authenticated against a local Bazaar codehosting service using an Ed25519 key

With the exception of the mentioned Twisted pull requests, this is all just on my laptop so far, and it needs a bit more tidying up before I send it for review and start trying to get things landed. All the same, this is finally looking quite plausible, and we should be able to get it onto production soon.

Revision history for this message
Colin Watson (cjwatson) wrote :

Our various SSH endpoints (bazaar.launchpad.net, git.launchpad.net, ppa.launchpad.net, and upload.ubuntu.com) now all have the necessary protocol-level support for Ed25519, and we'll be rolling out the authserver support shortly so that it's possible to use it.

Changed in turnip:
status: Triaged → Fix Released
Changed in launchpad:
status: Triaged → Fix Committed
Changed in txpkgupload:
status: Triaged → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote :

This is now all deployed, and I've been able to authenticate to all Launchpad services using an Ed25519 key.

Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers