Re: [Nix-dev] Possible bug in ssh key module
Hi, correct me if I’m wrong but SSH keys do not have a strong syntax, and aside from “there’s less than ssh-rsa…spacesomethingnonspace there isn’t much you can check for. Specifically as the comment field can contain pretty much anything and you can’t check the key data for validity on a semantic basis AFAIK. Christian On 12 May 2015, at 10:27, Tomasz Kontusz tomasz.kont...@gmail.com wrote: Oops, replied to the wrong address. Od: Tomasz Kontusz tomasz.kont...@gmail.com Wysłane: Tue May 12 10:25:21 CEST 2015 Do: Anand Patil anand.prabhakar.pa...@gmail.com Temat: Re: [Nix-dev] Possible bug in ssh key module It would still be nice if the middle yelled at you instead of using obviously wrong inputs. Actually, is there any practice already in place for this kind of checks? Like how picky should they be, and should they be overridable Anand Patil anand.prabhakar.pa...@gmail.com napisał: Hi Bas, yep, it was just that. Sorry for the false alarm. Thanks, Anand On Mon, May 11, 2015 at 12:52 AM, Bas van Dijk v.dijk@gmail.com wrote: On 11 May 2015 at 04:45, Anand Patil anand.prabhakar.pa...@gmail.com wrote: Hi everyone, Just wanted to point out a small possible bug in NixOS version 15.05pre61966.75ebc3c (Dingo). I noticed that when I add an authorizedKeys option to my user like so: openssh.authorizedKeys.keys = [ ssh-rsa stuff ]; the contents of /etc/ssh/authorized_keys.d/anand look like ssh-rsa stuff with a newline after the ssh-rsa, Hi Anand, The implementation looks correct. It only adds newlines between the keys: https://github.com/NixOS/nixpkgs/blob/75ebc3cf1dc1365be5a05018fc8e5409c66025cb/nixos/modules/services/networking/ssh/sshd.nix#L55 https://github.com/NixOS/nixpkgs/blob/75ebc3cf1dc1365be5a05018fc8e5409c66025cb/nixos/modules/services/networking/ssh/sshd.nix#L55 Are you sure your string doesn't contain a newline? Maybe your text editor added a newline when it wrapped the string. Bas nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev http://lists.science.uu.nl/mailman/listinfo/nix-dev -- Wysłane za pomocą K-9 Mail. -- Wysłane za pomocą K-9 Mail. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev — Christian Theune · c...@flyingcircus.io · +49 345 219401 0 Flying Circus Internet Operations GmbH · http://flyingcircus.io Forsterstraße 29 · 06112 Halle (Saale) · Deutschland HR Stendal HRB 21169 · Geschäftsführer: Christian. Theune, Christian. Zagrodnick signature.asc Description: Message signed with OpenPGP using GPGMail ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Possible bug in ssh key module
The build could run a quick check to see if ssh-keygen can read the file? `ssh-keygen -l -f filename` will return an error if it can't read a key in the file (it only checks the first key) On Tue, May 12, 2015 at 10:33 AM Christian Theune c...@flyingcircus.io wrote: Hi, correct me if I’m wrong but SSH keys do not have a strong syntax, and aside from “there’s less than ssh-rsa…spacesomethingnonspace there isn’t much you can check for. Specifically as the comment field can contain pretty much anything and you can’t check the key data for validity on a semantic basis AFAIK. Christian On 12 May 2015, at 10:27, Tomasz Kontusz tomasz.kont...@gmail.com wrote: Oops, replied to the wrong address. -- *Od:* Tomasz Kontusz tomasz.kont...@gmail.com *Wysłane:* Tue May 12 10:25:21 CEST 2015 *Do:* Anand Patil anand.prabhakar.pa...@gmail.com *Temat:* Re: [Nix-dev] Possible bug in ssh key module It would still be nice if the middle yelled at you instead of using obviously wrong inputs. Actually, is there any practice already in place for this kind of checks? Like how picky should they be, and should they be overridable Anand Patil anand.prabhakar.pa...@gmail.com napisał: Hi Bas, yep, it was just that. Sorry for the false alarm. Thanks, Anand On Mon, May 11, 2015 at 12:52 AM, Bas van Dijk v.dijk@gmail.com wrote: On 11 May 2015 at 04:45, Anand Patil anand.prabhakar.pa...@gmail.com wrote: Hi everyone, Just wanted to point out a small possible bug in NixOS version 15.05pre61966.75ebc3c (Dingo). I noticed that when I add an authorizedKeys option to my user like so: openssh.authorizedKeys.keys = [ ssh-rsa stuff ]; the contents of /etc/ssh/authorized_keys.d/anand look like ssh-rsa stuff with a newline after the ssh-rsa, Hi Anand, The implementation looks correct. It only adds newlines between the keys: https://github.com/NixOS/nixpkgs/blob/75ebc3cf1dc1365be5a05018fc8e5409c66025cb/nixos/modules/services/networking/ssh/sshd.nix#L55 Are you sure your string doesn't contain a newline? Maybe your text editor added a newline when it wrapped the string. Bas -- nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev -- Wysłane za pomocą K-9 Mail. -- Wysłane za pomocą K-9 Mail. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev — Christian Theune · c...@flyingcircus.io · +49 345 219401 0 Flying Circus Internet Operations GmbH · http://flyingcircus.io Forsterstraße 29 · 06112 Halle (Saale) · Deutschland HR Stendal HRB 21169 · Geschäftsführer: Christian. Theune, Christian. Zagrodnick ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Possible bug in ssh key module
On 11 May 2015 at 04:45, Anand Patil anand.prabhakar.pa...@gmail.com wrote: Hi everyone, Just wanted to point out a small possible bug in NixOS version 15.05pre61966.75ebc3c (Dingo). I noticed that when I add an authorizedKeys option to my user like so: openssh.authorizedKeys.keys = [ ssh-rsa stuff ]; the contents of /etc/ssh/authorized_keys.d/anand look like ssh-rsa stuff with a newline after the ssh-rsa, Hi Anand, The implementation looks correct. It only adds newlines between the keys: https://github.com/NixOS/nixpkgs/blob/75ebc3cf1dc1365be5a05018fc8e5409c66025cb/nixos/modules/services/networking/ssh/sshd.nix#L55 Are you sure your string doesn't contain a newline? Maybe your text editor added a newline when it wrapped the string. Bas ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Possible bug in ssh key module
Hi Bas, yep, it was just that. Sorry for the false alarm. Thanks, Anand On Mon, May 11, 2015 at 12:52 AM, Bas van Dijk v.dijk@gmail.com wrote: On 11 May 2015 at 04:45, Anand Patil anand.prabhakar.pa...@gmail.com wrote: Hi everyone, Just wanted to point out a small possible bug in NixOS version 15.05pre61966.75ebc3c (Dingo). I noticed that when I add an authorizedKeys option to my user like so: openssh.authorizedKeys.keys = [ ssh-rsa stuff ]; the contents of /etc/ssh/authorized_keys.d/anand look like ssh-rsa stuff with a newline after the ssh-rsa, Hi Anand, The implementation looks correct. It only adds newlines between the keys: https://github.com/NixOS/nixpkgs/blob/75ebc3cf1dc1365be5a05018fc8e5409c66025cb/nixos/modules/services/networking/ssh/sshd.nix#L55 Are you sure your string doesn't contain a newline? Maybe your text editor added a newline when it wrapped the string. Bas ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Possible bug in ssh key module
Sorry, ssh-rsa stuff was a bad example because I can only reproduce the problem when the string is sufficiently long. This does repro it: openssh.authorizedKeys.keys = [ ssh-rsa B3NzaC1yc2EDAQABAAABAQC27UXRth2OuY6I23hcej1Lq5SJ8V3TP1mbASUewEflThIduS+5tDl6W0mkikeQvXIpnsfe/JxzlBYdPV0hzM5hPZLmHEg0Z/k8oyC58RoTiBQ83VD1Tl09dlcnScQXKCqPnw+O92Y8gAr/F9N+NPOx28QUqGXfelkFjLs3xdWUhshin4oknl/fCjB20hH0A0N7/ZXOw/oArGG8xZBE84XSwE5LQgMcNluDjpxRVECBy1XkWy8qbztCoRci/CCJE3VRXLMxjg0Fh2AQl/5LXTd6ekmr3Ui/tAbDwKLVjUz0rPAnADW0S54dJ6FJoNg9YcR6uk972ZQt64m+SGe89heF ] Anand On Sun, May 10, 2015 at 7:45 PM, Anand Patil anand.prabhakar.pa...@gmail.com wrote: Hi everyone, Just wanted to point out a small possible bug in NixOS version 15.05pre61966.75ebc3c (Dingo). I noticed that when I add an authorizedKeys option to my user like so: openssh.authorizedKeys.keys = [ ssh-rsa stuff ]; the contents of /etc/ssh/authorized_keys.d/anand look like ssh-rsa stuff with a newline after the ssh-rsa, and I can't ssh in with public key authentication. When I edit /etc/ssh/authorized_keys.d/anand to remove the newline, it works. I'm really enjoying learning NixOS so far, thanks for a great distro! I hope to be able to patch small things like this myself soon. :) Anand ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] Possible bug in ssh key module
Hi everyone, Just wanted to point out a small possible bug in NixOS version 15.05pre61966.75ebc3c (Dingo). I noticed that when I add an authorizedKeys option to my user like so: openssh.authorizedKeys.keys = [ ssh-rsa stuff ]; the contents of /etc/ssh/authorized_keys.d/anand look like ssh-rsa stuff with a newline after the ssh-rsa, and I can't ssh in with public key authentication. When I edit /etc/ssh/authorized_keys.d/anand to remove the newline, it works. I'm really enjoying learning NixOS so far, thanks for a great distro! I hope to be able to patch small things like this myself soon. :) Anand ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev