Bug 840657

Summary: sshpubkey not accepting ssh keys in the right format for user
Product: Red Hat Enterprise Linux 6 Reporter: Namita Soman <nsoman>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.4CC: jgalipea, mkosek, sgallagh, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: Identity Management SSH capabilities allows storage of public user or host SSH keys. However, the keys did not accept OpenSSH-style public key format, i.e. public key type, public key and a comment, but only the public key blob. Consequence: Identity Management had to guess public key type based on the public key blob, which could have potentially caused an issue in future with new public key types. A comment attached to the public key may be also essential for some deployments. Fix: Store SSH public keys in extended OpenSSH format. Result: Stored SSH public keys now contain all required parts, thus making the functionality acceptable in more deployments.
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:16:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Namita Soman 2012-07-16 20:22:45 UTC
Description of problem:
When adding ssh keys for the user, can add the key, the type is recognized correctly to be ssh-rsa or ssh-dss. But the comments cannot be saved with the keys. 

Should be able to add shh key with all 3 parts of the file - 
# ipa user-mod one --sshpubkey="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHcTZHojrZgZmDSOCYbJjiU06jdPQM70KZnw9gdLh1+pyPR+YuEhSBMIj2ObcUs5yffq8RtTre/WIf9Mj/klY462MnPO89TxLCsSGUKcK+WCeoVQxUrwz6IYXc/IwKcd8sNg9qpjpxsXvoEt1cggMxrEBot4GekEn521VJENSjxnLFyoeS+rADTy5EMBRGw6rGAVwS6lF9id5JWF6NaJ6rtCKiMWJHX27l/2ryKY/2UqHco7sdpdsigZ4Ga+cO0hYZRLJuJlKXXo6GJgp1cvw9oAPMNJDxEC3eI6zIEYnkJdLGuYBzL0LW0j71GYDR3/96h6+YnnIw5XcLO3xwbts7 root.com"
ipa: ERROR: invalid 'sshpubkey': must be binary data


Version-Release number of selected component (if applicable):
freeipa-server-2.99.0-0.20120711T1433Zgit14ac219.fc17.x86_64

How reproducible:
always

Steps to Reproduce:
1. add a user
2. ssh-keygen -t rsa and store to /home/one_rsa
3. cat /home/one_rsa.pub
4. ipa user-mod one --sshpubkey=<paste contents of /home/one_rsa.pub>
5. ipa user-show one
  
Actual results:
output for step 4: ipa: ERROR: invalid 'sshpubkey': must be binary data


Expected results:
for step 4 : sshpubkey should accept the 3 parts of the public key
worked around by using just the key (and not the encoding or comments) This is the expected format that administartor use/prefer

Also in UI - when all 3 parts can be added - the comments should also be displayed. Currently it displays the key - the encoding, but no comments - since it wasn't entered.

Additional info:

Comment 2 Rob Crittenden 2012-07-18 13:18:28 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2932

Comment 3 Rob Crittenden 2012-09-07 16:32:59 UTC
Fixed upstream.

master: 46ad724301e301d1bc96216b8873e704a37d35e3

ipa-3-0: 8a81d71b7856d1e40b99bd59757791bf7cf7dce2

Comment 5 Namita Soman 2012-11-24 22:27:55 UTC
Verified using ipa-server-3.0.0-8.el6.x86_64

# ipa user-mod one --sshpubkey="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5TA9rtXU8T4a2Iq0NQ6tjT+zxGBADpw6ahfBumyXud5H83HZsRTDNANnjfR3gdzKaPBIoHiV/n5NjOMHIRTOEh8QoKXIuhfUczjaLqv72zQP+grBXtWrZT307hCeDi510YGc4Zll8+uUvMkKmVAt6YlR4SsX3bB5TtRQTvlaKMemON8xQkDIyZA419MFxMQ5KVAchXB+bHPe9uJwWCs6cwPGllgAgQTEEbRy/ffyhEl92gXm7/oK2PJo6cKOmA9Zer7VE9JNMMJUvj+EukKF36RVtkbUWSPupPUv4FX5S7Amfh2F7zAnVam0bBYfNEMS4rb3VRKsyJj2IJwY2agh4Q== root.com"
-------------------
Modified user "one"
-------------------
  User login: one
  First name: one
  Last name: onme
  Home directory: /home/one
  Login shell: /bin/sh
  Email address: one
  UID: 1019800001
  GID: 1019800001
  Account disabled: False
  SSH public key: ssh-rsa
                  AAAAB3NzaC1yc2EAAAABIwAAAQEA5TA9rtXU8T4a2Iq0NQ6tjT+zxGBADpw6ahfBumyXud5H83HZsRTDNANnjfR3gdzKaPBIoHiV/n5NjOMHIRTOEh8QoKXIuhfUczjaLqv72zQP+grBXtWrZT307hCeDi510YGc4Zll8+uUvMkKmVAt6YlR4SsX3bB5TtRQTvlaKMemON8xQkDIyZA419MFxMQ5KVAchXB+bHPe9uJwWCs6cwPGllgAgQTEEbRy/ffyhEl92gXm7/oK2PJo6cKOmA9Zer7VE9JNMMJUvj+EukKF36RVtkbUWSPupPUv4FX5S7Amfh2F7zAnVam0bBYfNEMS4rb3VRKsyJj2IJwY2agh4Q==
                  root.com
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
  SSH public key fingerprint: 9A:05:35:E1:FF:82:E2:16:3E:AC:EA:D2:1C:A2:CC:35
                              root.com (ssh-rsa)


# ipa user-show one
  User login: one
  First name: one
  Last name: onme
  Home directory: /home/one
  Login shell: /bin/sh
  Email address: one
  UID: 1019800001
  GID: 1019800001
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
  SSH public key fingerprint: 9A:05:35:E1:FF:82:E2:16:3E:AC:EA:D2:1C:A2:CC:35
                              root.com (ssh-rsa)

Comment 7 errata-xmlrpc 2013-02-21 09:16:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html