[jira] [Comment Edited] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256169#comment-17256169
]
Nick Couchman edited comment on GUACAMOLE-745 at 12/29/20, 9:17 PM:
{quote}Perhaps this format is documented and our code just needs to do a bit
more for OpenSSH keys?
{quote}
Yeah, i was also looking at some of the OpenSSL functions for this, and there
seems to be a more generic `PEM_read_bio_PrivateKey()` function that reads more
generically and perhaps can be combined with other functions to determine the
type of the key on-the-fly?
{quote}I wonder if perhaps libssh would magically support this without us
having to manually parse provided keys.
{quote}
That would be lovely - it does seem like something that would be implemented in
a client library, though apparently libssh2 doesn't do it. Or maybe it does,
but the documentation on public key authentication for libssh2 is missing :(.
I was also looking at possible ways to use the Passphrase Callback prompt the
user for a private key passphrase rather than requiring it be specified in the
configuration, particularly now that we have parameter prompting included. This
would pave the way for user-specific private keys as mentioned in a different
JIRA issue.
was (Author: nick.couch...@yahoo.com):
{{quote}}
Perhaps this format is documented and our code just needs to do a bit more for
OpenSSH keys?
{{quote}}
Yeah, i was also looking at some of the OpenSSL functions for this, and there
seems to be a more generic `PEM_read_bio_PrivateKey()` function that reads more
generically and perhaps can be combined with other functions to determine the
type of the key on-the-fly?
{{quote}}
I wonder if perhaps libssh would magically support this without us having to
manually parse provided keys.
{{quote}}
That would be lovely - it does seem like something that would be implemented in
a client library, though apparently libssh2 doesn't do it. Or maybe it does,
but the documentation on public key authentication for libssh2 is missing :-(.
I was also looking at possible ways to use the Passphrase Callback prompt the
user for a private key passphrase rather than requiring it be specified in the
configuration, particularly now that we have parameter prompting included. This
would pave the way for user-specific private keys as mentioned in a different
JIRA issue.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256089#comment-17256089
]
Nick Couchman edited comment on GUACAMOLE-745 at 12/29/20, 5:55 PM:
Digging into this issue and GUACAMOLE-746 a little more, it looks like the
changes are going to be a bit more involved than just allowing another header
format - currently the code uses the header to detect the type of key (RSA,
DSA, etc.); however, it appears that generating an OpenSSH key in either RSA
format or ED25519 format both result in the new header "BEGIN OPENSSH PRIVATE
KEY" - the header is no longer a valid indication of the key format. This means
our code is likely going to have to loop through supported formats and attempt
to load the key, or we're going to have to have an option for the user to
specify the key format.
{code:java}
[nick_couchman@localhost ~]$ ssh-keygen -t rsa -b 4096 -f ./openssh-rsa
Generating public/private rsa key pair.
...
[nick_couchman@localhost ~]$ head -n 1 ./openssh-rsa
-BEGIN OPENSSH PRIVATE KEY-
[nick_couchman@localhost ~]$ ssh-keygen -t ed25519 -b 4096 -f ./openssh-ed25519
Generating public/private ed25519 key pair.
...
[nick_couchman@localhost ~]$ head -n 1 ./openssh-ed25519
-BEGIN OPENSSH PRIVATE KEY-
{code}
was (Author: nick.couch...@yahoo.com):
Digging into this issue and GUACAMOLE-746 a little more, it looks like the
changes are going to be a bit more involved than just allowing another header
format - currently the code uses the header to detect the type of key (RSA,
DSA, etc.); however, it appears that generating an OpenSSH key in either RSA
format or ED25519 format both result in the new header "BEGIN OPENSSH PRIVATE
KEY" - the header is no longer a valid indication of the key format. This means
our code is likely going to have to loop through supported formats and attempt
to load the key, or we're going to have to have an option for the user to
specify the key format.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16919861#comment-16919861
]
Charles LeConte Cathey edited comment on GUACAMOLE-745 at 8/30/19 8:18 PM:
---
Like [~nicoulaj], I agree that the modifications to the format headers are
necessary. I notice that this is listed as a Minor improvement but it
prohibits the use of FIPS=1 enabled hosts to generate {{BEGIN RSA PRIVATE
KEY}} keys (PKCS#5 vs PKCS#8 keys). This is presently blocking some of our
progress using 1.0.0. I see the ticket is unassigned. Has anyone already
worked this? If not we may take it on.
was (Author: catheyc):
Like [~nicoulaj], I agree that the modifications to the format headers are
necessary. I notice that this is listed as a Minor improvement but it
prohibits the use of FIPS=1 enabled hosts to generate {{-BEGIN RSA PRIVATE
KEY-}} keys (PKCS#5 vs PKCS#8 keys). This is presently blocking some of
our progress using 1.0.0. I see the ticket is unassigned. Has anyone already
worked this? If not we may take it on.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
[jira] [Comment Edited] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16919861#comment-16919861
]
Charles LeConte Cathey edited comment on GUACAMOLE-745 at 8/30/19 8:17 PM:
---
Like [~nicoulaj], I agree that the modifications to the format headers are
necessary. I notice that this is listed as a Minor improvement but it
prohibits the use of FIPS=1 enabled hosts to generate {{-BEGIN RSA PRIVATE
KEY-}} keys (PKCS#5 vs PKCS#8 keys). This is presently blocking some of
our progress using 1.0.0. I see the ticket is unassigned. Has anyone already
worked this? If not we may take it on.
was (Author: catheyc):
Like [~nicoulaj], I agree that the modifications to the format headers are
necessary. I notice that this is listed as a Minor improvement but it
prohibits the use of FIPS=1 enabled hosts to generate -BEGIN RSA PRIVATE
KEY- keys (PKCS#1 vs PKCS#8 keys). This is presently blocking some of our
progress using 1.0.0. I see the ticket is unassigned. Has anyone already
worked this? If not we may take it on.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
[jira] [Comment Edited] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16782165#comment-16782165
]
Michael Jumper edited comment on GUACAMOLE-745 at 5/12/19 2:47 AM:
---
I believe modifications are required in guacd to support it, [this
code|https://github.com/apache/guacamole-server/blob/master/src/common-ssh/key.c#L53]
requires the key to start with either {{\-\-\-\-\-BEGIN RSA PRIVATE
KEY\-\-\-\-\-}} or {{\-\-\-\-\-BEGIN DSA PRIVATE KEY\-\-\-\-\-}} and rejects
anything else. The new format headers is {{\-\-\-\-\-BEGIN OPENSSH PRIVATE
KEY\-\-\-\-\-}}, I can see RFC4716 mentions another format {{\-\-\-\- BEGIN
SSH2 PUBLIC KEY \-\-\-\-}} (https://tools.ietf.org/html/rfc4716#section-3.2).
So I am not sure how this should be parsed, but it looks like the current
method is too restrictive.
was (Author: nicoulaj):
I believe modifications are required in guacd to support it, [this
code|https://github.com/apache/guacamole-server/blob/master/src/common-ssh/key.c#L53]
requires the key to start with either {{-BEGIN RSA PRIVATE KEY-}} or
{{-BEGIN DSA PRIVATE KEY-}} and rejects anything else. The new format
headers is {{-BEGIN OPENSSH PRIVATE KEY-}}, I can see RFC4716 mentions
another format {{ BEGIN SSH2 PUBLIC KEY }}
(https://tools.ietf.org/html/rfc4716#section-3.2). So I am not sure how this
should be parsed, but it looks like the current method is too restrictive.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16782067#comment-16782067
]
Julien Nicoulaud edited comment on GUACAMOLE-745 at 3/1/19 9:03 PM:
Looks like libssh2 supports it since [this
commit|https://github.com/libssh2/libssh2/commit/03092292597ac601c3f9f0c267ecb145dda75e4e],
but it is not released yet.
was (Author: nicoulaj):
Looks like libssh2 supports it [this
commit|https://github.com/libssh2/libssh2/commit/03092292597ac601c3f9f0c267ecb145dda75e4e],
but it is not released yet.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Major
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
