Public bug reported: Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko library [1][2] changed (unintentionally?) the ASN.1 encoding format of SSH private keys from DER to BER. (DER is a strict subset of BER, so anything that can read BER can read DER, but not necessarily the other way around.)
Some third-party tools only support DER and this has created at least one issue [3] (specifically because Go's standard library only supports DER). I have provided Paramiko with a small change that makes its SSH private key output equal to OpenSSH's ssh-keygen output (and presumably DER formatted) [4]. Providing a change to Paramiko is just one method of addressing this backwards-incompatibility and interoperability issue. Should the Paramiko change be accepted the unit test output vectors will need to be changed, but should it not, is a reversion of or modification to Nova acceptable to maintain backwards-compatibility and interoperability? [1] https://review.openstack.org/157931 [2] http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a [3] https://github.com/mitchellh/packer/issues/2526 [4] https://github.com/paramiko/paramiko/pull/572 ** Affects: nova Importance: Undecided Status: New ** Summary changed: - ssh-keygen-to-paramiko change breaks third-party tools + ssh-keygen-to-Paramiko change breaks third-party tools -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1483132 Title: ssh-keygen-to-Paramiko change breaks third-party tools Status in OpenStack Compute (nova): New Bug description: Changing ssh key generation from OpenSSH's ssh-keygen to the Paramiko library [1][2] changed (unintentionally?) the ASN.1 encoding format of SSH private keys from DER to BER. (DER is a strict subset of BER, so anything that can read BER can read DER, but not necessarily the other way around.) Some third-party tools only support DER and this has created at least one issue [3] (specifically because Go's standard library only supports DER). I have provided Paramiko with a small change that makes its SSH private key output equal to OpenSSH's ssh-keygen output (and presumably DER formatted) [4]. Providing a change to Paramiko is just one method of addressing this backwards-incompatibility and interoperability issue. Should the Paramiko change be accepted the unit test output vectors will need to be changed, but should it not, is a reversion of or modification to Nova acceptable to maintain backwards-compatibility and interoperability? [1] https://review.openstack.org/157931 [2] http://git.openstack.org/cgit/openstack/nova/commit/?id=3f3f9bf22efd2fb209d2a2fe0246f4857cd2d21a [3] https://github.com/mitchellh/packer/issues/2526 [4] https://github.com/paramiko/paramiko/pull/572 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1483132/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
