[Freeipa-devel] [PATCH] 83 Use OpenSSH-style public keys as the preferred format of SSH public keys

Jan Cholasta jcholast at redhat.com
Fri Sep 7 15:24:33 UTC 2012 

Dne 6.9.2012 17:47, Jan Cholasta napsal(a):
> Dne 5.9.2012 22:57, Rob Crittenden napsal(a):
>> Jan Cholasta wrote:
>>> Hi,
>>>
>>> this patch changes the format of the sshpubkey parameter to the format
>>> used by OpenSSH (see sshd(8)).
>>>
>>> Public keys in the old format (raw RFC 4253 blob) are automatically
>>> converted to OpenSSH-style public keys. OpenSSH-style public keys are
>>> now stored in LDAP.
>>>
>>> Changed sshpubkeyfp to be an output parameter, as that is what it
>>> actually is.
>>>
>>> Allow parameter normalizers to be used on values of any type, not just
>>> unicode, so that public key blobs (which are str) can be normalized to
>>> OpenSSH-style public keys.
>>>
>>> Note that you need a SSSD build including
>>> <https://fedorahosted.org/sssd/changeset/f130a609a840d4548c795ce5e63afb5891358e20/>
>>>
>>>
>>> (SSSD 1.9.0beta7-to-be) in order to make OpenSSH integration actually
>>> work with OpenSSH-style public keys.
>>>
>>> <https://fedorahosted.org/freeipa/ticket/2932>
>>> <https://fedorahosted.org/freeipa/ticket/2935>
>>>
>>> Honza
>>
>> NACK.
>>
>> I think a bunch of tests are needed for this.
>>
>> Because you abstracted out the pubkey class it should be straightforward
>> to add a bunch of class-based unit tests on it.
>>
>> There are also no user or host-based tests, either for adding or
>> managing keys.
>
> Tests added.
>
>>
>> I tested backwards compatibility with 2.2 and the initial tests are
>> mixed.
>>
>> I installed 2.2 and created a 3.0 clone from it, including your patch.
>
> Do people actually do that in real deployments?
>
>>
>> I added a user in 3.0 with a key and it added ok, but on the 2.2 side it
>> returns the entire base64 encoded blob of key type, key and comment,
>> which I presume is unusable. At least things don't blow up.
>
> The format of ipasshpubkey in LDAP has changed, so there's not much I
> can do about this.
>
>>
>> The reverse works fine. An old-style key added to 2.2 appears to work
>> fine in 3.0, we just lack a comment.
>>
>> On the 2.2 server:
>>
>> $ ipa user-show tuser1 --all | grep -i ssh
>>    Base-64 encoded SSH public key:
>> c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20=
>>
>>
>> $ python
>> Python 2.7.3 (default, Jul 24 2012, 10:05:38)
>> [GCC 4.7.0 20120507 (Red Hat 4.7.0-5)] on linux2
>> Type "help", "copyright", "credits" or "license" for more information.
>>  >>> import base64
>>  >>> s =
>> 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20='
>>
>>
>>  >>> base64.b64decode(s)
>> 'ssh-rsa
>> AAAAB3NzaC1yc2EAAAADAQABAAABAQC5D2E26tu9as6pxeQYRuH3zV2P5321iGU9h/W4IiwKFHiNsjyqqrzhBPPwjo7tiXD9GmJ53nJKmNLgt+MWRqSdLvGEw637JESXJF/EVyLodAVDimuqQVCKZ0Qrmdb1+EH5Tdkwpr8LrwH5kDs0Eipg6sLhEFy73/iscFBjri44lRSPY5qGMaK9Q4r65XQ2k+egTCBpMfw4oBz38tduDUQ6moW4XPJxYybw0aC2tT+dA9N6ZwEHVWDE3w84ltGkBQdTZ+5bFpEvYZvoOnFWt9MdR3aWzRIgcZ9T9rH1EOfwxNsYTB/4cNh7u/Ztlg1UtgUmycwNJLMF+13s59v8QiHZ
>>
>> rcrit at edsel.greyoak.com'
>>
>> Now show an old style key:
>>
>> $ ipa user-show tuser2 --all | grep -i ssh
>>    Base-64 encoded SSH public key:
>> AAAAB3NzaC1yc2EAAAADAQABAAABAQCbRLyizFGyfucNRnHpWdUG8dBD7W2PfvTQ42k+LmAdUFudTytO89oTRXcVEYMDL42OyRth12JRMUjYTEmFwo9a9Mb7cP8+bo7N2lV4iCB0CUybcZARF0MV6NeYhhWlC9DV40nkqs3Goe8X8tMPXn/HZn8Rz33703w8K/G6STnN0txhAT4tY7D3e0DA9UY87wNnpJ7dXoJqMXRv2dRgmUnGih/8cLHypyxBoLoL8qR9cWxAf/Cs+qQmsk15lzIGQUAJwwXBBjbnXKwykEeHjTHsvjd7zzC1cWtz5Zz/8aop7AsVwaBqb9u+5dVOMxdzLGD24NKTjhtG86ADU4Mpnlb5
>>
>>
>>
>> rob
>
> Updated patch attached.
>
> Honza
>

Rebased patch attached.

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-83.2-openssh-style-public-keys.patch
Type: text/x-patch
Size: 34811 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120907/48b90951/attachment.bin>

More information about the Freeipa-devel mailing list