[jira] [Comment Edited] (GUACAMOLE-745) Add support for OpenSSH private key format
[ https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256169#comment-17256169 ] Nick Couchman edited comment on GUACAMOLE-745 at 12/29/20, 9:17 PM: {quote}Perhaps this format is documented and our code just needs to do a bit more for OpenSSH keys? {quote} Yeah, i was also looking at some of the OpenSSL functions for this, and there seems to be a more generic `PEM_read_bio_PrivateKey()` function that reads more generically and perhaps can be combined with other functions to determine the type of the key on-the-fly? {quote}I wonder if perhaps libssh would magically support this without us having to manually parse provided keys. {quote} That would be lovely - it does seem like something that would be implemented in a client library, though apparently libssh2 doesn't do it. Or maybe it does, but the documentation on public key authentication for libssh2 is missing :(. I was also looking at possible ways to use the Passphrase Callback prompt the user for a private key passphrase rather than requiring it be specified in the configuration, particularly now that we have parameter prompting included. This would pave the way for user-specific private keys as mentioned in a different JIRA issue. was (Author: nick.couch...@yahoo.com): {{quote}} Perhaps this format is documented and our code just needs to do a bit more for OpenSSH keys? {{quote}} Yeah, i was also looking at some of the OpenSSL functions for this, and there seems to be a more generic `PEM_read_bio_PrivateKey()` function that reads more generically and perhaps can be combined with other functions to determine the type of the key on-the-fly? {{quote}} I wonder if perhaps libssh would magically support this without us having to manually parse provided keys. {{quote}} That would be lovely - it does seem like something that would be implemented in a client library, though apparently libssh2 doesn't do it. Or maybe it does, but the documentation on public key authentication for libssh2 is missing :-(. I was also looking at possible ways to use the Passphrase Callback prompt the user for a private key passphrase rather than requiring it be specified in the configuration, particularly now that we have parameter prompting included. This would pave the way for user-specific private keys as mentioned in a different JIRA issue. > Add support for OpenSSH private key format > -- > > Key: GUACAMOLE-745 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-745 > Project: Guacamole > Issue Type: Improvement > Components: guacd, SSH > Environment: Docker official images 1.0.0 >Reporter: Julien Nicoulaud >Priority: Minor > > Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by > default anymore: [https://www.openssh.com/txt/release-7.8] > Attempting to use keys in the new format in Guacamole does not work, and does > not print any helpful error message even in debug mode: > {code:java} > guacd_1 | guacd[296]: DEBUG: Attempting private key import > (WITHOUT passphrase) > guacd_1 | guacd[296]: DEBUG: Initial import failed: (null) > guacd_1 | guacd[296]: DEBUG: Re-attempting private key import > (WITH passphrase) > guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code} > It would be nice if keys in OpenSSH new format were supported. At least a > more helpful error message should be printed (like "unrecognized key format"). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (GUACAMOLE-745) Add support for OpenSSH private key format
[ https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256089#comment-17256089 ] Nick Couchman edited comment on GUACAMOLE-745 at 12/29/20, 5:55 PM: Digging into this issue and GUACAMOLE-746 a little more, it looks like the changes are going to be a bit more involved than just allowing another header format - currently the code uses the header to detect the type of key (RSA, DSA, etc.); however, it appears that generating an OpenSSH key in either RSA format or ED25519 format both result in the new header "BEGIN OPENSSH PRIVATE KEY" - the header is no longer a valid indication of the key format. This means our code is likely going to have to loop through supported formats and attempt to load the key, or we're going to have to have an option for the user to specify the key format. {code:java} [nick_couchman@localhost ~]$ ssh-keygen -t rsa -b 4096 -f ./openssh-rsa Generating public/private rsa key pair. ... [nick_couchman@localhost ~]$ head -n 1 ./openssh-rsa -BEGIN OPENSSH PRIVATE KEY- [nick_couchman@localhost ~]$ ssh-keygen -t ed25519 -b 4096 -f ./openssh-ed25519 Generating public/private ed25519 key pair. ... [nick_couchman@localhost ~]$ head -n 1 ./openssh-ed25519 -BEGIN OPENSSH PRIVATE KEY- {code} was (Author: nick.couch...@yahoo.com): Digging into this issue and GUACAMOLE-746 a little more, it looks like the changes are going to be a bit more involved than just allowing another header format - currently the code uses the header to detect the type of key (RSA, DSA, etc.); however, it appears that generating an OpenSSH key in either RSA format or ED25519 format both result in the new header "BEGIN OPENSSH PRIVATE KEY" - the header is no longer a valid indication of the key format. This means our code is likely going to have to loop through supported formats and attempt to load the key, or we're going to have to have an option for the user to specify the key format. > Add support for OpenSSH private key format > -- > > Key: GUACAMOLE-745 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-745 > Project: Guacamole > Issue Type: Improvement > Components: guacd, SSH > Environment: Docker official images 1.0.0 >Reporter: Julien Nicoulaud >Priority: Minor > > Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by > default anymore: [https://www.openssh.com/txt/release-7.8] > Attempting to use keys in the new format in Guacamole does not work, and does > not print any helpful error message even in debug mode: > {code:java} > guacd_1 | guacd[296]: DEBUG: Attempting private key import > (WITHOUT passphrase) > guacd_1 | guacd[296]: DEBUG: Initial import failed: (null) > guacd_1 | guacd[296]: DEBUG: Re-attempting private key import > (WITH passphrase) > guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code} > It would be nice if keys in OpenSSH new format were supported. At least a > more helpful error message should be printed (like "unrecognized key format"). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (GUACAMOLE-745) Add support for OpenSSH private key format
[ https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16919861#comment-16919861 ] Charles LeConte Cathey edited comment on GUACAMOLE-745 at 8/30/19 8:18 PM: --- Like [~nicoulaj], I agree that the modifications to the format headers are necessary. I notice that this is listed as a Minor improvement but it prohibits the use of FIPS=1 enabled hosts to generate {{BEGIN RSA PRIVATE KEY}} keys (PKCS#5 vs PKCS#8 keys). This is presently blocking some of our progress using 1.0.0. I see the ticket is unassigned. Has anyone already worked this? If not we may take it on. was (Author: catheyc): Like [~nicoulaj], I agree that the modifications to the format headers are necessary. I notice that this is listed as a Minor improvement but it prohibits the use of FIPS=1 enabled hosts to generate {{-BEGIN RSA PRIVATE KEY-}} keys (PKCS#5 vs PKCS#8 keys). This is presently blocking some of our progress using 1.0.0. I see the ticket is unassigned. Has anyone already worked this? If not we may take it on. > Add support for OpenSSH private key format > -- > > Key: GUACAMOLE-745 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-745 > Project: Guacamole > Issue Type: Improvement > Components: guacd, SSH > Environment: Docker official images 1.0.0 >Reporter: Julien Nicoulaud >Priority: Minor > > Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by > default anymore: [https://www.openssh.com/txt/release-7.8] > Attempting to use keys in the new format in Guacamole does not work, and does > not print any helpful error message even in debug mode: > {code:java} > guacd_1 | guacd[296]: DEBUG: Attempting private key import > (WITHOUT passphrase) > guacd_1 | guacd[296]: DEBUG: Initial import failed: (null) > guacd_1 | guacd[296]: DEBUG: Re-attempting private key import > (WITH passphrase) > guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code} > It would be nice if keys in OpenSSH new format were supported. At least a > more helpful error message should be printed (like "unrecognized key format"). -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Comment Edited] (GUACAMOLE-745) Add support for OpenSSH private key format
[ https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16919861#comment-16919861 ] Charles LeConte Cathey edited comment on GUACAMOLE-745 at 8/30/19 8:17 PM: --- Like [~nicoulaj], I agree that the modifications to the format headers are necessary. I notice that this is listed as a Minor improvement but it prohibits the use of FIPS=1 enabled hosts to generate {{-BEGIN RSA PRIVATE KEY-}} keys (PKCS#5 vs PKCS#8 keys). This is presently blocking some of our progress using 1.0.0. I see the ticket is unassigned. Has anyone already worked this? If not we may take it on. was (Author: catheyc): Like [~nicoulaj], I agree that the modifications to the format headers are necessary. I notice that this is listed as a Minor improvement but it prohibits the use of FIPS=1 enabled hosts to generate -BEGIN RSA PRIVATE KEY- keys (PKCS#1 vs PKCS#8 keys). This is presently blocking some of our progress using 1.0.0. I see the ticket is unassigned. Has anyone already worked this? If not we may take it on. > Add support for OpenSSH private key format > -- > > Key: GUACAMOLE-745 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-745 > Project: Guacamole > Issue Type: Improvement > Components: guacd, SSH > Environment: Docker official images 1.0.0 >Reporter: Julien Nicoulaud >Priority: Minor > > Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by > default anymore: [https://www.openssh.com/txt/release-7.8] > Attempting to use keys in the new format in Guacamole does not work, and does > not print any helpful error message even in debug mode: > {code:java} > guacd_1 | guacd[296]: DEBUG: Attempting private key import > (WITHOUT passphrase) > guacd_1 | guacd[296]: DEBUG: Initial import failed: (null) > guacd_1 | guacd[296]: DEBUG: Re-attempting private key import > (WITH passphrase) > guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code} > It would be nice if keys in OpenSSH new format were supported. At least a > more helpful error message should be printed (like "unrecognized key format"). -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Comment Edited] (GUACAMOLE-745) Add support for OpenSSH private key format
[ https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16782165#comment-16782165 ] Michael Jumper edited comment on GUACAMOLE-745 at 5/12/19 2:47 AM: --- I believe modifications are required in guacd to support it, [this code|https://github.com/apache/guacamole-server/blob/master/src/common-ssh/key.c#L53] requires the key to start with either {{\-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-}} or {{\-\-\-\-\-BEGIN DSA PRIVATE KEY\-\-\-\-\-}} and rejects anything else. The new format headers is {{\-\-\-\-\-BEGIN OPENSSH PRIVATE KEY\-\-\-\-\-}}, I can see RFC4716 mentions another format {{\-\-\-\- BEGIN SSH2 PUBLIC KEY \-\-\-\-}} (https://tools.ietf.org/html/rfc4716#section-3.2). So I am not sure how this should be parsed, but it looks like the current method is too restrictive. was (Author: nicoulaj): I believe modifications are required in guacd to support it, [this code|https://github.com/apache/guacamole-server/blob/master/src/common-ssh/key.c#L53] requires the key to start with either {{-BEGIN RSA PRIVATE KEY-}} or {{-BEGIN DSA PRIVATE KEY-}} and rejects anything else. The new format headers is {{-BEGIN OPENSSH PRIVATE KEY-}}, I can see RFC4716 mentions another format {{ BEGIN SSH2 PUBLIC KEY }} (https://tools.ietf.org/html/rfc4716#section-3.2). So I am not sure how this should be parsed, but it looks like the current method is too restrictive. > Add support for OpenSSH private key format > -- > > Key: GUACAMOLE-745 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-745 > Project: Guacamole > Issue Type: Improvement > Components: guacd, SSH > Environment: Docker official images 1.0.0 >Reporter: Julien Nicoulaud >Priority: Minor > > Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by > default anymore: [https://www.openssh.com/txt/release-7.8] > Attempting to use keys in the new format in Guacamole does not work, and does > not print any helpful error message even in debug mode: > {code:java} > guacd_1 | guacd[296]: DEBUG: Attempting private key import > (WITHOUT passphrase) > guacd_1 | guacd[296]: DEBUG: Initial import failed: (null) > guacd_1 | guacd[296]: DEBUG: Re-attempting private key import > (WITH passphrase) > guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code} > It would be nice if keys in OpenSSH new format were supported. At least a > more helpful error message should be printed (like "unrecognized key format"). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (GUACAMOLE-745) Add support for OpenSSH private key format
[ https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16782067#comment-16782067 ] Julien Nicoulaud edited comment on GUACAMOLE-745 at 3/1/19 9:03 PM: Looks like libssh2 supports it since [this commit|https://github.com/libssh2/libssh2/commit/03092292597ac601c3f9f0c267ecb145dda75e4e], but it is not released yet. was (Author: nicoulaj): Looks like libssh2 supports it [this commit|https://github.com/libssh2/libssh2/commit/03092292597ac601c3f9f0c267ecb145dda75e4e], but it is not released yet. > Add support for OpenSSH private key format > -- > > Key: GUACAMOLE-745 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-745 > Project: Guacamole > Issue Type: Improvement > Components: guacd, SSH > Environment: Docker official images 1.0.0 >Reporter: Julien Nicoulaud >Priority: Major > > Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by > default anymore: [https://www.openssh.com/txt/release-7.8] > Attempting to use keys in the new format in Guacamole does not work, and does > not print any helpful error message even in debug mode: > {code:java} > guacd_1 | guacd[296]: DEBUG: Attempting private key import > (WITHOUT passphrase) > guacd_1 | guacd[296]: DEBUG: Initial import failed: (null) > guacd_1 | guacd[296]: DEBUG: Re-attempting private key import > (WITH passphrase) > guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code} > It would be nice if keys in OpenSSH new format were supported. At least a > more helpful error message should be printed (like "unrecognized key format"). -- This message was sent by Atlassian JIRA (v7.6.3#76005)