Bug 1258365

Summary: [PKI] do not prompt for passphrase for openssh certificate enrollment - ever
Product: [oVirt] ovirt-engine Reporter: Alon Bar-Lev <alonbl>
Component: PKIAssignee: Yaniv Kaul <ykaul>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.6.0CC: bugs, gklein, iheim, lsurette, rbalakri, sbonazzo, yeylon, ykaul
Target Milestone: ovirt-3.6.0-rcKeywords: CodeChange
Target Release: 3.6.0Flags: rule-engine: ovirt-3.6.0+
ylavi: planning_ack+
rule-engine: devel_ack+
pstehlik: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 3.6.0-11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-10 12:54:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1258154    

Description Alon Bar-Lev 2015-08-31 08:05:40 UTC 
passphrase is done in older ssh-keygen implementation in any error condition. for example, if ca key cannot be read a passphrase prompt will be issued. 

feeding empty passphrase will workaround this for now.
Comment 3 Jiri Belka 2016-01-22 09:55:18 UTC 
ok, rhevm-backend-3.6.2.6-0.1.el6.noarch

# sed -n '/ssh-keygen \\/,/^$/p'  /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh 
                ssh-keygen \
                        -s "${TMPCA}" \
                        -P "" \
                        -I "${id}" \
                        ${host:+-h} \
                        -V "-1h:+${days}d" \
                        ${principals:+${principal_arg} "${principals}"} \
                        $(printf "${options}" | xargs -ix -d',' echo -O x) \
                        "${sshpub}" \
                        || die "ssh-keygen failed"
        ) || die "Cannot sign ssh certificate"
}

[root@jb-rhevm36 tmp]# ssh-keygen -y -f /etc/pki/ovirt-engine/keys/engine_id_rsa 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/duIBjjAet3mGfKa+aFv1aU9Vc4Blb6sDSjRGP5NtpLPbZNvDnFDchRF0AG6s6jYNvo2FnA9rfZpLCOr03pVHbQ6hyO6PJdJWFzPyxwi36kpkboftj5jCLUeI05Wxz346SRGw27OKEHtraPgfoXYm6Kq0tbAShT8aAvT9fp5AHAPCkLNmiViS7GIqDWoy+WQK9TiNJrvW+5mFvEug5dnqgZqsf8S1NJp5wWVWlA4IAS20qDo9H/U2/K47bSO45UE98rrELBwmLE5RraRKXbQtLiZPpYbaDx068wdbKpAYuZ29AWl3p//R3aY+tU2+3mnCpb6ojykJI25NQBtT3moX
[root@jb-rhevm36 tmp]# ls -l /etc/pki/ovirt-engine/keys/engine_id_rsa 
-rw-------. 1 root root 1828 Aug 17 13:37 /etc/pki/ovirt-engine/keys/engine_id_rsa

if there would be passphrase, 'ssh-keygen -y -f' would prompt for one.