[Freeipa-devel] [PATCH] 83 Use OpenSSH-style public keys as the preferred format of SSH public keys

Rob Crittenden rcritten at redhat.com
Fri Sep 7 16:31:42 UTC 2012 

Jan Cholasta wrote:
> Dne 6.9.2012 17:47, Jan Cholasta napsal(a):
>> Dne 5.9.2012 22:57, Rob Crittenden napsal(a):
>>> Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> this patch changes the format of the sshpubkey parameter to the format
>>>> used by OpenSSH (see sshd(8)).
>>>>
>>>> Public keys in the old format (raw RFC 4253 blob) are automatically
>>>> converted to OpenSSH-style public keys. OpenSSH-style public keys are
>>>> now stored in LDAP.
>>>>
>>>> Changed sshpubkeyfp to be an output parameter, as that is what it
>>>> actually is.
>>>>
>>>> Allow parameter normalizers to be used on values of any type, not just
>>>> unicode, so that public key blobs (which are str) can be normalized to
>>>> OpenSSH-style public keys.
>>>>
>>>> Note that you need a SSSD build including
>>>> <https://fedorahosted.org/sssd/changeset/f130a609a840d4548c795ce5e63afb5891358e20/>
>>>>
>>>>
>>>>
>>>> (SSSD 1.9.0beta7-to-be) in order to make OpenSSH integration actually
>>>> work with OpenSSH-style public keys.
>>>>
>>>> <https://fedorahosted.org/freeipa/ticket/2932>
>>>> <https://fedorahosted.org/freeipa/ticket/2935>
>>>>
>>>> Honza
>>>
>>> NACK.
>>>
>>> I think a bunch of tests are needed for this.
>>>
>>> Because you abstracted out the pubkey class it should be straightforward
>>> to add a bunch of class-based unit tests on it.
>>>
>>> There are also no user or host-based tests, either for adding or
>>> managing keys.
>>
>> Tests added.
>>
>>>
>>> I tested backwards compatibility with 2.2 and the initial tests are
>>> mixed.
>>>
>>> I installed 2.2 and created a 3.0 clone from it, including your patch.
>>
>> Do people actually do that in real deployments?
>>
>>>
>>> I added a user in 3.0 with a key and it added ok, but on the 2.2 side it
>>> returns the entire base64 encoded blob of key type, key and comment,
>>> which I presume is unusable. At least things don't blow up.
>>
>> The format of ipasshpubkey in LDAP has changed, so there's not much I
>> can do about this.
>>
>>>
>>> The reverse works fine. An old-style key added to 2.2 appears to work
>>> fine in 3.0, we just lack a comment.
>>>
>>> On the 2.2 server:
>>>
>>> $ ipa user-show tuser1 --all | grep -i ssh
>>>    Base-64 encoded SSH public key:
>>> c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20=
>>>
>>>
>>>
>>> $ python
>>> Python 2.7.3 (default, Jul 24 2012, 10:05:38)
>>> [GCC 4.7.0 20120507 (Red Hat 4.7.0-5)] on linux2
>>> Type "help", "copyright", "credits" or "license" for more information.
>>>  >>> import base64
>>>  >>> s =
>>> 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20='
>>>
>>>
>>>
>>>  >>> base64.b64decode(s)
>>> 'ssh-rsa
>>> AAAAB3NzaC1yc2EAAAADAQABAAABAQC5D2E26tu9as6pxeQYRuH3zV2P5321iGU9h/W4IiwKFHiNsjyqqrzhBPPwjo7tiXD9GmJ53nJKmNLgt+MWRqSdLvGEw637JESXJF/EVyLodAVDimuqQVCKZ0Qrmdb1+EH5Tdkwpr8LrwH5kDs0Eipg6sLhEFy73/iscFBjri44lRSPY5qGMaK9Q4r65XQ2k+egTCBpMfw4oBz38tduDUQ6moW4XPJxYybw0aC2tT+dA9N6ZwEHVWDE3w84ltGkBQdTZ+5bFpEvYZvoOnFWt9MdR3aWzRIgcZ9T9rH1EOfwxNsYTB/4cNh7u/Ztlg1UtgUmycwNJLMF+13s59v8QiHZ
>>>
>>>
>>> rcrit at edsel.greyoak.com'
>>>
>>> Now show an old style key:
>>>
>>> $ ipa user-show tuser2 --all | grep -i ssh
>>>    Base-64 encoded SSH public key:
>>> AAAAB3NzaC1yc2EAAAADAQABAAABAQCbRLyizFGyfucNRnHpWdUG8dBD7W2PfvTQ42k+LmAdUFudTytO89oTRXcVEYMDL42OyRth12JRMUjYTEmFwo9a9Mb7cP8+bo7N2lV4iCB0CUybcZARF0MV6NeYhhWlC9DV40nkqs3Goe8X8tMPXn/HZn8Rz33703w8K/G6STnN0txhAT4tY7D3e0DA9UY87wNnpJ7dXoJqMXRv2dRgmUnGih/8cLHypyxBoLoL8qR9cWxAf/Cs+qQmsk15lzIGQUAJwwXBBjbnXKwykEeHjTHsvjd7zzC1cWtz5Zz/8aop7AsVwaBqb9u+5dVOMxdzLGD24NKTjhtG86ADU4Mpnlb5
>>>
>>>
>>>
>>>
>>> rob
>>
>> Updated patch attached.
>>
>> Honza
>>
>
> Rebased patch attached.
>
> Honza
>

ACK.

I merged in a change that adds e-mail to one test and pushed to master 
and ipa-3-0.

rob

More information about the Freeipa-devel mailing list