asn1 - dianaclarke/openstack-notes GitHub Wiki
Context:
- ssh-keygen-to-Paramiko change breaks third-party tools
- https://bugs.launchpad.net/nova/+bug/1483132
Steps to reproduce, based in part on:
- x/crypto/ssh: ParsePrivateKey fails to parse BER encoded key
- https://github.com/golang/go/issues/14145
$ cat fail.go
package main
import (
"golang.org/x/crypto/ssh"
"io/ioutil"
"log"
)
func main() {
key, err := ioutil.ReadFile("./key.der")
if err != nil {
log.Fatal(err)
}
_, err = ssh.ParsePrivateKey(key)
if err != nil {
log.Fatal(err)
}
}
$ cat key.ber
-----BEGIN RSA PRIVATE KEY-----
MIIEpwIBAAKCAQEA0YimCnlkfzE6q348way+D1RcsQ/6xOT2lgw6BWERuQt+cp1q
cyEKLHx1AkDD48uPZLj4YeQWxufHG++tk5B8wCbe7ZAnH7pcA2zgtHhOhIATfiPd
au/fL0zFaG8FmWGSBS40YBdl21eeO1r+0SyYk2lHycRY0roIPdfb2/xNkU68HEcT
r6ZYiHeh8Xy+Q2d/wiz4tbXMgSBEX7AFdqwHdg9HiCZRTCMQk8aGeb+XK88hifww
3ifqoZL7a98t1Eh9pg6lX1QyVUDr5GkWIVtHxaA8mFM60K/RLcA83oCXTZGVInIJ
BIZsdi1N4eAeBxKSnJ4H0yersw3oVhGwjSf+QQIDAQABAoIBAEgEPHVrJbRlujGJ
MN6sPaLNLxKYWGtl+q61wxdoNowwPCSuoBCz8Wg62oiMtAdORpmqzYvvtjhlH1Ul
urX2Ojpc4dAq9Jd+GPQAbvb4RpxZ3NlFAGwpx77dFxh+2CDQnTx0lgHU6OhLpBHo
g55nQoWf8NGTT6gV0pFW6LUicZKYKu/yf+Bj12bqHYamc6rGQHisQqUUykzu8izv
fCKsCk2xj9l3GQ/fJ6y4GoQIRyoS+3JGy8hR29vie3I7POqDj9BJkFdVZHAilii1
MDQfIK2+gG5W/Dokyda5vRpdRU8BbdE2woM7yAeMU8PmrIvDvAbYz/oaYo4QShbY
Xs6KDvECggCBAOaJPZOJvinrSLoKtH6bp0iTzTdj4oRrIspiyibTogloN6y8Aohx
g3Pe8rwVADwyno0om6eNGE+KCudH9BDaPN/nn+PlRkWLjaONjrTkhuBBHVyuVQv+
J6xR/ybBwNV/tKvOSmyW3wa9pxJ0QaY/ek3zYN7kv6dOqea7WdNeiWr9AoIAgQDo
rYkiGkuED1oFLkfXchXlBflXFe/5aHnA0RyjNOuLof0L8tPNUiMOJLJuZB/vJfGt
0Alr/kUZfJYq7kF5rHkJP6Cbh5rMb8pT59h+hadgvtXK9WBE4XQ+aaz41aIQSeqh
lagqVWuIu6seruJS+W2Dz4TAP3J0Sc8wczJFRsttlQKCAIBWv6vpGbryITRDtYWH
4uCG4f8l6bMyKvJzf8sb4yUlLw9MM48scrKJZoqmlax5+n5JFc/Es8ZDH+nMb/n6
YXTouEslQYA46TOKKNlbXmcWecontv4PvjqFkHFXzy7V5/E/eSfuRrNz4Oe+fPq7
KUXHkV6RYThxJ5utVDCP5hIFrQKCAIBBuxRsb+U5b2TM5eAhuvb4dhGUSnw6hwsu
L2TZrk+EaMSlpXm0HSoOCsvlZ5+l3aBCq+ydd31pz8pUYm5YwyKGPFVQ2qQecM5F
mc+NHpDEQeT/qwYBL3e5Uf0tZpyb4WXJNBAHtY3lWK7kwh7ptdD8VZl4/fOFanx/
gWuIKpG5aQKCAIAHvtFoE3CITh1iGdYGC8tF9Ys0FWq94dlVzgj03wFkWR7Vci0v
wu7Hw5DPzj0bXTdUY5cmrbinwJDUQyImQ6P7ahTimGXu7Adn4kRMEV6EL+eFn3BD
ukamSYDVk6kssetrI9tMW2KcDJWlm2sNORjO4nfyKQswI3pdsk305qzgKg==
-----END RSA PRIVATE KEY-----
$ cat key.der
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAsLHMckQIxKLv6iDf5xT5UXoBU990g560/tF0otw+h3j2Xr6+
xQTIruWGQlG0xhulaTMx13J/RePNfFmd8+R+ncP4/IX4LImaFIlJd8CUok3VGwWu
AxbMXUEyPSGWLr3dLog/n7LfMLaOXgQ6Eye89BRSbpTWJ+Xx75i2uVI7cjVL1i7R
CglW6QDV2kNsJg1c1sDeez62m6rohB8wouYoantx1mvKjQiV55Wh/2PA8q3WEPeL
jez4t7BTQz97fqEFB3lVOruJ2KwWohHKMBUPbvm5zZcuDFu+e8BaedryuRyQB11P
YdSlJEaQnoqBhnQD4h8YoYU5ckGIMi6w79HFnQIDAQABAoIBAQCi3nC+TtnqLuqI
XF8miN27bYN1xT6H6C2byIQDbpIwm540/QupXVyCYk0cKmZASdFxo9/oYMDSMkYB
vjVrT44qbC7AzdhRbVDaZyWSPbCD3sx1SQn6DPS5bNQbJy9gzF/peWt0EBPMuimG
nczORU3Vijnldknkov8cRB8BubvT66YqaVaaXVKJYtD33VMgflB5kSswIoN7KQUQ
y7JJ13klZuxW9R7UGY8hmf62WZVcGkX7NW3MRbgwpT6kQeY8fU8h9UqPhR098sfa
i7QBDCyeM78YK1pHTrFUTCYNI+d2kVYitShd2HGWOB5cFZI2irclpCXhxqV5372O
PgBBta1dAoGBANziRNCh26WkOFHKddAR9Yyet51yfvt583H2BlUUHCH6LhgKgfeI
W8SnTAM6qCivjjI2Gr/I5/1ls6YerEM7nlwOdQ5HajaeEguZn3WZC+qIPZoW7Wlh
bRo2oVuryceoaLxKGCcT9rsuRSR4DcEoLkdeyGVcyLciEv30E8KaOCT/AoGBAMzJ
En1A0GcD+10M0qCTVsUajAUtsfbND4cGG5c1ZgFQ0+9sry222ub6P9AJEv73UvE3
wLu+XBZZ/HEp2DaEtNSiKEq1za8KRiT2a8SczGA1GkGkPEMacOVF+Z7x9hPpiamX
Fzt4vK3uFQhOshY85nOECngIfFF95eX+rQ5UsYljAoGAMrULAS43I1aIy1YEJ8kH
qsmA83cmaYq8dWv6ViuwragmTsSSw4WdM48IZzFfC0AKD8LV7zMq9sQTMs6V0zVr
jEyRWL7SRkmRcPJKZg/FaYjvQ2GCDRAdoMfr0QSl5Nzndlo4Izh1CtF7c/zPg4k6
3o2GyaY8ObZrz7rpkmIfA3cCgYEAn3lGKLw8jryPFxtROzMCM2RE/hNjr2ppWSDs
g4hV81hacu0UTmlDdvQSlZM7c8pukOJ1+L55P/67k/SeJ3aYy62r6uJBVrqNfWNY
8TeaAKHZ3JxlQWxp1mHzzk9m7oLDbYn30ZxocpohTuLZ1G+AlxyQeoFBLsT4L29w
nORfjTkCgYEAwps4xwFRdAoEZccDYAogluRsjzM9WFqCVdypN7uf3nHOwCfPkwA3
YQVOJEReisN9Br4TC/o/apdbl1hisfta/fWE9XTbqRUAKTmJjblqFW1BkkF7OALA
v1Y1aDnu0JPcQ+tP7V/WK6a8/3EDtDsoi4ocSMxB1pmyQMcrFp324Vc=
-----END RSA PRIVATE KEY-----
key.berwas created usingparamiko<2.0within nova (and then renamed fromfoo.pemtokey.berfor this example):
nova keypair-add foo > foo.pem
key.derwas created usingssh-keygenwithin nova (and then renamed fromfoo-no-paramiko.pemtokey.derfor this example):
nova keypair-add foo-no-paramiko > foo-no-paramiko.pem
- When
fail.gopoints tokey.der, I don't get any errors:
$ go run fail.go
- When
fail.gopoints tokey.ber, I get the following error:
$ go run fail.go
2016/09/12 22:02:08 asn1: structure error: superfluous leading zeros in length
exit status 1
$ nova keypair-list
+-----------------+------+-------------------------------------------------+
| Name | Type | Fingerprint |
+-----------------+------+-------------------------------------------------+
| foo | ssh | 6f:f4:d2:79:a9:63:a1:e7:b5:70:14:b6:35:23:39:ac |
| foo-no-paramiko | ssh | b8:0e:17:d5:1a:79:8d:80:58:aa:21:2a:6f:34:94:14 |
+-----------------+------+-------------------------------------------------+
- Create an instance with the
BERkey (built using an oldparamikoversion)
$ nova show instance-foo
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | AUTO |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | localhost.localdomain |
| OS-EXT-SRV-ATTR:hostname | instance-foo |
| OS-EXT-SRV-ATTR:hypervisor_hostname | localhost.localdomain |
| OS-EXT-SRV-ATTR:instance_name | instance-00000001 |
| OS-EXT-SRV-ATTR:kernel_id | 08c625c9-e0d8-4197-bf13-e8ec3cbed615 |
| OS-EXT-SRV-ATTR:launch_index | 0 |
| OS-EXT-SRV-ATTR:ramdisk_id | 5e6b021a-2e7d-4193-a0c8-1c6fa298510d |
| OS-EXT-SRV-ATTR:reservation_id | r-dd7hh96p |
| OS-EXT-SRV-ATTR:root_device_name | /dev/vda |
| OS-EXT-SRV-ATTR:user_data | - |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-STS:task_state | - |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2016-04-16T05:31:04.000000 |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| config_drive | True |
| created | 2016-04-16T05:30:17Z |
| description | instance-foo |
| flavor | m1.nano (42) |
| hostId | 11f262edbfd66aeac438df805e1c53edfb32d0dc451c05eb767c9dbd |
| host_status | UP |
| id | 27927489-0158-4bf9-8731-8f117b64978e |
| image | cirros-0.3.4-x86_64-uec (ec3cbb5e-0ce8-4faa-96bd-cfa385122d9a) |
| key_name | foo |
| locked | False |
| metadata | {} |
| name | instance-foo |
| os-extended-volumes:volumes_attached | [] |
| private network | 10.0.0.2 |
| progress | 0 |
| security_groups | default |
| status | ACTIVE |
| tenant_id | 162df2e9319041029c8886f07911e9c7 |
| updated | 2016-04-16T05:31:04Z |
| user_id | d83e39dacfc549449c58987c3c99d379 |
+--------------------------------------+----------------------------------------------------------------+
- Can I
sshusing theBERkey? YES
$ chmod 600 foo.pem
$ ssh -i foo.pem [email protected]
The authenticity of host '10.0.0.2 (10.0.0.2)' can't be established.
RSA key fingerprint is SHA256:8UKG8DkRsH8ZuagxBNgYfDExNAYfAFDE+1KCE2ez924.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.2' (RSA) to the list of known hosts.
[email protected]'s password:
$
$ exit
Connection to 10.0.0.2 closed.
- Create an instance with the
DERkey (built usingssh-keygen)
$ nova show instance-foo-no-paramiko
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | AUTO |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | localhost.localdomain |
| OS-EXT-SRV-ATTR:hostname | instance-foo-no-paramiko |
| OS-EXT-SRV-ATTR:hypervisor_hostname | localhost.localdomain |
| OS-EXT-SRV-ATTR:instance_name | instance-00000002 |
| OS-EXT-SRV-ATTR:kernel_id | 08c625c9-e0d8-4197-bf13-e8ec3cbed615 |
| OS-EXT-SRV-ATTR:launch_index | 0 |
| OS-EXT-SRV-ATTR:ramdisk_id | 5e6b021a-2e7d-4193-a0c8-1c6fa298510d |
| OS-EXT-SRV-ATTR:reservation_id | r-tgi1eagr |
| OS-EXT-SRV-ATTR:root_device_name | /dev/vda |
| OS-EXT-SRV-ATTR:user_data | - |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-STS:task_state | - |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2016-04-16T05:39:30.000000 |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| config_drive | True |
| created | 2016-04-16T05:39:19Z |
| description | instance-foo-no-paramiko |
| flavor | m1.nano (42) |
| hostId | 11f262edbfd66aeac438df805e1c53edfb32d0dc451c05eb767c9dbd |
| host_status | UP |
| id | eb829460-0267-40be-9cbf-f3318deee215 |
| image | cirros-0.3.4-x86_64-uec (ec3cbb5e-0ce8-4faa-96bd-cfa385122d9a) |
| key_name | foo-no-paramiko |
| locked | False |
| metadata | {} |
| name | instance-foo-no-paramiko |
| os-extended-volumes:volumes_attached | [] |
| private network | 10.0.0.3 |
| progress | 0 |
| security_groups | default |
| status | ACTIVE |
| tenant_id | 162df2e9319041029c8886f07911e9c7 |
| updated | 2016-04-16T05:39:31Z |
| user_id | d83e39dacfc549449c58987c3c99d379 |
+--------------------------------------+----------------------------------------------------------------+
- Can I
sshusing theDERkey? YES
$ chmod 600 foo-no-paramiko.pem
$ ssh -i foo-no-paramiko.pem [email protected]
The authenticity of host '10.0.0.3 (10.0.0.3)' can't be established.
RSA key fingerprint is SHA256:x+glVwieys3NaCsExzvHJK38KeKLgc/laCKZnCW9IBY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.3' (RSA) to the list of known hosts.
$ exit
Connection to 10.0.0.3 closed.