[Freeipa-devel] [PATCH] 83 Use OpenSSH-style public keys as the preferred format of SSH public keys

Thu Sep 6 15:47:44 UTC 2012

Dne 5.9.2012 22:57, Rob Crittenden napsal(a):
> Jan Cholasta wrote:
>> Hi,
>>
>> this patch changes the format of the sshpubkey parameter to the format
>> used by OpenSSH (see sshd(8)).
>>
>> Public keys in the old format (raw RFC 4253 blob) are automatically
>> converted to OpenSSH-style public keys. OpenSSH-style public keys are
>> now stored in LDAP.
>>
>> Changed sshpubkeyfp to be an output parameter, as that is what it
>> actually is.
>>
>> Allow parameter normalizers to be used on values of any type, not just
>> unicode, so that public key blobs (which are str) can be normalized to
>> OpenSSH-style public keys.
>>
>> Note that you need a SSSD build including
>> <https://fedorahosted.org/sssd/changeset/f130a609a840d4548c795ce5e63afb5891358e20/>
>>
>> (SSSD 1.9.0beta7-to-be) in order to make OpenSSH integration actually
>> work with OpenSSH-style public keys.
>>
>> <https://fedorahosted.org/freeipa/ticket/2932>
>> <https://fedorahosted.org/freeipa/ticket/2935>
>>
>> Honza
>
> NACK.
>
> I think a bunch of tests are needed for this.
>
> Because you abstracted out the pubkey class it should be straightforward
> to add a bunch of class-based unit tests on it.
>
> There are also no user or host-based tests, either for adding or
> managing keys.

Tests added.

>
> I tested backwards compatibility with 2.2 and the initial tests are mixed.
>
> I installed 2.2 and created a 3.0 clone from it, including your patch.

Do people actually do that in real deployments?

>
> I added a user in 3.0 with a key and it added ok, but on the 2.2 side it
> returns the entire base64 encoded blob of key type, key and comment,
> which I presume is unusable. At least things don't blow up.

The format of ipasshpubkey in LDAP has changed, so there's not much I 
can do about this.

>
> The reverse works fine. An old-style key added to 2.2 appears to work
> fine in 3.0, we just lack a comment.
>
> On the 2.2 server:
>
> $ ipa user-show tuser1 --all | grep -i ssh
>    Base-64 encoded SSH public key:
> c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20=
>
> $ python
> Python 2.7.3 (default, Jul 24 2012, 10:05:38)
> [GCC 4.7.0 20120507 (Red Hat 4.7.0-5)] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
>  >>> import base64
>  >>> s =
> 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20='
>
>  >>> base64.b64decode(s)
> 'ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAABAQC5D2E26tu9as6pxeQYRuH3zV2P5321iGU9h/W4IiwKFHiNsjyqqrzhBPPwjo7tiXD9GmJ53nJKmNLgt+MWRqSdLvGEw637JESXJF/EVyLodAVDimuqQVCKZ0Qrmdb1+EH5Tdkwpr8LrwH5kDs0Eipg6sLhEFy73/iscFBjri44lRSPY5qGMaK9Q4r65XQ2k+egTCBpMfw4oBz38tduDUQ6moW4XPJxYybw0aC2tT+dA9N6ZwEHVWDE3w84ltGkBQdTZ+5bFpEvYZvoOnFWt9MdR3aWzRIgcZ9T9rH1EOfwxNsYTB/4cNh7u/Ztlg1UtgUmycwNJLMF+13s59v8QiHZ
> rcrit at edsel.greyoak.com'
>
> Now show an old style key:
>
> $ ipa user-show tuser2 --all | grep -i ssh
>    Base-64 encoded SSH public key:
> AAAAB3NzaC1yc2EAAAADAQABAAABAQCbRLyizFGyfucNRnHpWdUG8dBD7W2PfvTQ42k+LmAdUFudTytO89oTRXcVEYMDL42OyRth12JRMUjYTEmFwo9a9Mb7cP8+bo7N2lV4iCB0CUybcZARF0MV6NeYhhWlC9DV40nkqs3Goe8X8tMPXn/HZn8Rz33703w8K/G6STnN0txhAT4tY7D3e0DA9UY87wNnpJ7dXoJqMXRv2dRgmUnGih/8cLHypyxBoLoL8qR9cWxAf/Cs+qQmsk15lzIGQUAJwwXBBjbnXKwykEeHjTHsvjd7zzC1cWtz5Zz/8aop7AsVwaBqb9u+5dVOMxdzLGD24NKTjhtG86ADU4Mpnlb5
>
>
> rob

Updated patch attached.

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-83.1-openssh-style-public-keys.patch
Type: text/x-patch
Size: 34789 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120906/58a3c79c/attachment.bin>