1258365 – [PKI] do not prompt for passphrase for openssh certificate enrollment - ever

Bug 1258365 - [PKI] do not prompt for passphrase for openssh certificate enrollment - ever

Summary: [PKI] do not prompt for passphrase for openssh certificate enrollment - ever

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	PKI
Sub Component:
Version:	3.6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-3.6.0-rc
Target Release:	3.6.0
Assignee:	Yaniv Kaul
QA Contact:	Jiri Belka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1258154
TreeView+	depends on / blocked

Reported:	2015-08-31 08:05 UTC by Alon Bar-Lev
Modified:	2016-02-10 12:54 UTC (History)
CC List:	8 users (show)
Fixed In Version:	3.6.0-11
Clone Of:
Environment:
Last Closed:	2016-02-10 12:54:19 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-3.6.0+ ylavi: planning_ack+ rule-engine: devel_ack+ pstehlik: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	45475	0	master	MERGED	pki: pki-enroll-openssh-cert.sh: do not allow interactive passphrase prompt	Never
oVirt gerrit	45512	0	ovirt-engine-3.6	MERGED	pki: pki-enroll-openssh-cert.sh: do not allow interactive passphrase prompt	Never

Description Alon Bar-Lev 2015-08-31 08:05:40 UTC

passphrase is done in older ssh-keygen implementation in any error condition. for example, if ca key cannot be read a passphrase prompt will be issued. 

feeding empty passphrase will workaround this for now.

Comment 3 Jiri Belka 2016-01-22 09:55:18 UTC

ok, rhevm-backend-3.6.2.6-0.1.el6.noarch

# sed -n '/ssh-keygen \\/,/^$/p'  /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh 
                ssh-keygen \
                        -s "${TMPCA}" \
                        -P "" \
                        -I "${id}" \
                        ${host:+-h} \
                        -V "-1h:+${days}d" \
                        ${principals:+${principal_arg} "${principals}"} \
                        $(printf "${options}" | xargs -ix -d',' echo -O x) \
                        "${sshpub}" \
                        || die "ssh-keygen failed"
        ) || die "Cannot sign ssh certificate"
}

[root@jb-rhevm36 tmp]# ssh-keygen -y -f /etc/pki/ovirt-engine/keys/engine_id_rsa 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/duIBjjAet3mGfKa+aFv1aU9Vc4Blb6sDSjRGP5NtpLPbZNvDnFDchRF0AG6s6jYNvo2FnA9rfZpLCOr03pVHbQ6hyO6PJdJWFzPyxwi36kpkboftj5jCLUeI05Wxz346SRGw27OKEHtraPgfoXYm6Kq0tbAShT8aAvT9fp5AHAPCkLNmiViS7GIqDWoy+WQK9TiNJrvW+5mFvEug5dnqgZqsf8S1NJp5wWVWlA4IAS20qDo9H/U2/K47bSO45UE98rrELBwmLE5RraRKXbQtLiZPpYbaDx068wdbKpAYuZ29AWl3p//R3aY+tU2+3mnCpb6ojykJI25NQBtT3moX
[root@jb-rhevm36 tmp]# ls -l /etc/pki/ovirt-engine/keys/engine_id_rsa 
-rw-------. 1 root root 1828 Aug 17 13:37 /etc/pki/ovirt-engine/keys/engine_id_rsa

if there would be passphrase, 'ssh-keygen -y -f' would prompt for one.

Note You need to log in before you can comment on or make changes to this bug.