Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1194035

Summary: Add validation of SSH key size as a configuration parameter for OpenShift broker
Product: OpenShift Container Platform Reporter: Øystein Bedin <obedin>
Component: NodeAssignee: Scott Dodson <sdodson>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 2.2.0CC: adellape, bleanhar, cryan, erich, jkaur, jokerman, libra-onpremise-devel, mmccomas, sdodson, xiama
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openshift-origin-broker-1.16.2.5-1, rubygem-openshift-origin-controller-1.35.1.2-1 Doc Type: Enhancement
Doc Text:
This enhancement adds optional SSH key size validation for when developers add a new public key to their account. Administrators can configure this by setting the MINIMUM_SSH_KEY_SIZE parameter to the desired value in the /etc/openshift/broker.conf file on brokers, then restarting the openshift-broker service.
 Story Points: ---
Clone Of:
: 1194200 (view as bug list) Environment:
Last Closed: 2015-04-06 17:06:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1194200    

Description Øystein Bedin 2015-02-18 20:10:46 UTC 
Description of problem:
For security reasons, customer requests a check of SSH key size (i.e.: number of bits used to create the key) when a new public key is added using the "Settings" web page for a user. This should be a configurable parameter that can be set to the customers requirements for minimum key size.

Version-Release number of selected component (if applicable):
OSE 2.2.x

How reproducible:
100% - no such functionality exists today

Steps to Reproduce:
N/A

Actual results:
Current SSH keys are not being checked for minimum (bit) size

Expected results:
Perform a check of public key added to ensure it meets minimum size requirements

Additional info:
Patch is already developed and ready. The implementation uses a configurable broker.conf option: MINIMUM_SSH_KEY_SIZE="ssh-rsa|2048 ssh-dss|1024"
... this format follows existing configuration options and allow for a list of valid values for future additions of other key types as well.
Comment 1 Øystein Bedin 2015-02-19 05:34:31 UTC 
Created a PR for the proposed changes - it can be found here:
https://github.com/openshift/origin-server/pull/6078
Comment 4 Eric Rich 2015-02-20 14:44:20 UTC 
*** Bug 1194200 has been marked as a duplicate of this bug. ***
Comment 8 Scott Dodson 2015-03-17 15:35:56 UTC 
I believe this made it into devenv_5471

When I was testing I set this value in /etc/openshift/broker-dev.conf

MINIMUM_SSH_KEY_SIZE="ssh-rsa|1024 ssh-dss|1024"
Comment 11 Ma xiaoqiang 2015-03-18 02:47:39 UTC 
Check on puddle [2.2.5/2015-03-17.1]


1.generate different size key
#ssh-keygen -b 1024 -f rsa_1024
#ssh-keygen -b 4096 -f rsa_4096
#ssh-keygen -f rsa_2048
#ssh-keygen -f dsa_1024 -t dsa

2.setup with user
#rhc setup -l xiaom

3.add all keys generate in the step 1
#keys="rsa_1024 rsa_4096 rsa_2048 dsa_1024" 
# for key in $keys;do echo $key; set -x; rhc sshkey add $key $key.pub -l xiaom;done 

4.list all keys
All keys are added successfully

5.delete all keys
#for key in $(rhc sshkey list -l xiaom|grep type|awk '{print $1}');do rhc sshkey remove $key -l xiaom;done

6. configure the mininum key size, and restart the openshift-broker
#vim /etc/openshift/broker.conf
MINIMUM_SSH_KEY_SIZE="ssh-rsa|2048 ssh-dss|1024"
#service openshift-broker restart

7. add all keys
#rhc sshkey add $key_name $keyfile
dsa_1024 pass
rsa_4096 pass
rsa_1024 fail (Invalid RSA key size.  Must be greater or equal to 2048.)
rsa_2048 pass

8. delete all keys

9.configure the mininum key size, and restart the openshift-broker
#vim /etc/openshift/broker.conf
MINIMUM_SSH_KEY_SIZE="ssh-rsa|4097 ssh-dss|1025"
#service openshift-broker restart

10. add all keys
dsa_1024 fail (Invalid DSA key size.  Must be greater or equal to 1025.)
rsa_4096 fail (Invalid RSA key size.  Must be greater or equal to 4097.)
rsa_1024 fail (Invalid RSA key size.  Must be greater or equal to 4097.)
rsa_2048 fail (Invalid RSA key size.  Must be greater or equal to 4097.)

11.configure the mininum key size, and restart the openshift-broker
#vim /etc/openshift/broker.conf
MINIMUM_SSH_KEY_SIZE="ssh-rsa|4095 ssh-dss|1023"
#service openshift-broker restart
12. add all keys
dsa_1024 pass 
rsa_4096 pass 
rsa_1024 fail (Invalid RSA key size.  Must be greater or equal to 4095.)
rsa_2048 fail (Invalid RSA key size.  Must be greater or equal to 4095.)

13. delete all keys

14. rhc setup -l xiaom
fail to add default key

15. .configure the mininum key size, and restart the openshift-broker
#vim /etc/openshift/broker.conf
MINIMUM_SSH_KEY_SIZE="ssh-dsa|2048"
#service openshift-broker restart

16. add all keys
dsa_1024 fail (Invalid DSA key size.  Must be greater or equal to 2048.)
rsa_4096 pass 
rsa_1024 pass
rsa_2048 pass

17. configure the mininum key size, and restart the openshift-broker
#vim /etc/openshift/broker.conf
MINIMUM_SSH_KEY_SIZE="ssh-rsa|1023 ssh-dss|2048"
#service openshift-broker restart

18. delete all keys
all keys can be deleted.
Comment 13 errata-xmlrpc 2015-04-06 17:06:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0779.html