Reviewed: https://review.opendev.org/667765 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=6caedfd97675940eb3cf07e2f019926dae45d02c Submitter: Zuul Branch: master
commit 6caedfd97675940eb3cf07e2f019926dae45d02c Author: melanie witt <[email protected]> Date: Wed Jun 26 23:25:48 2019 +0000 Require at least cryptography>=2.7 Version 2.6 of the cryptography library [1] added support for ed25519 ssh keys. This works with OpenSSL >= 1.1.1b. In nova, we can enable people to use ed25519 ssh keys by using the necessary cryptography library version. Users must make sure they have a new enough OpenSSL version, else they won't be able to generate ed25519 ssh keys using ssh-keygen in the first place. I did a local test using Ubuntu 18.04 and things "just worked" when I generated a ed25519 ssh key and imported it into nova. I left a comment on the launchpad bug accordingly. This updates our minimum version to the latest available version 2.7. Closes-Bug: #1555521 [1] https://cryptography.io/en/latest/changelog/#v2-6 Change-Id: Id4a4e1ae4c0acd40c1fc32c3b82a8d8a62d4624d ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1555521 Title: "failed to generate fingerprint" when importing ed25519 key Status in OpenStack Compute (nova): Fix Released Bug description: While RSA keys are most established, and still prevalent, ed25519 are gaining significance. However, trying to import an ed25519 pubkey fails: ==> /var/log/nova/nova-api.log <== 2016-03-10 09:52:09.538 2823 INFO nova.api.openstack.wsgi [req-e9474955-458c-4cf0-b8ca-fcbd4129824d 133e8f3fc1ad43efa9e7bd2401282ebd 801bf0d65c9646118905853d5615f6ee - - -] HTTP exception thrown: Keypair data is invalid: failed to generate fingerprint 2016-03-10 09:52:09.539 2823 INFO nova.osapi_compute.wsgi.server [req-e9474955-458c-4cf0-b8ca-fcbd4129824d 133e8f3fc1ad43efa9e7bd2401282ebd 801bf0d65c9646118905853d5615f6ee - - -] 172.25.16.58 "POST /v2/801bf0d65c9646118905853d5615f6ee/os-keypairs HTTP/1.1" status: 400 len: 319 time: 0.0246069 In this example, it was tried to upload the key through Horizon, but the error occured in Nova as shown above. This was using the latest ci-passed Mitaka packages from RDO on CentOS 7: [root@red-test ~]# rpm -qa | grep openstack-nova openstack-nova-conductor-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch openstack-nova-scheduler-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch openstack-nova-common-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch openstack-nova-console-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch openstack-nova-cert-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch openstack-nova-api-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch openstack-nova-novncproxy-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch openstack-nova-compute-13.0.0.0b4-0.20160304162843.c5a45a2.el7.centos.noarch To generate an ed25519 key to try this yourself, simply run: ssh-keygen -t ed25519 Note, that support for ed25519 in openssl (and openssh) is only available in somewhat modern distributions (CentOS 7, Fedora and Ubuntu should be fine). To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1555521/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
