Bug 1258365 - [PKI] do not prompt for passphrase for openssh certificate enrollment - ever
[PKI] do not prompt for passphrase for openssh certificate enrollment - ever
Status: CLOSED CURRENTRELEASE
Product: ovirt-engine
Classification: oVirt
Component: PKI (Show other bugs)
3.6.0
Unspecified Unspecified
unspecified Severity medium (vote)
: ovirt-3.6.0-rc
: 3.6.0
Assigned To: Yaniv Kaul
Jiri Belka
: CodeChange
Depends On:
Blocks: 1258154
  Show dependency treegraph
 
Reported: 2015-08-31 04:05 EDT by Alon Bar-Lev
Modified: 2016-02-10 07:54 EST (History)
8 users (show)

See Also:
Fixed In Version: 3.6.0-11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-10 07:54:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑3.6.0+
ylavi: planning_ack+
rule-engine: devel_ack+
pstehlik: testing_ack+


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 45475 master MERGED pki: pki-enroll-openssh-cert.sh: do not allow interactive passphrase prompt Never
oVirt gerrit 45512 ovirt-engine-3.6 MERGED pki: pki-enroll-openssh-cert.sh: do not allow interactive passphrase prompt Never

  None (edit)
Description Alon Bar-Lev 2015-08-31 04:05:40 EDT
passphrase is done in older ssh-keygen implementation in any error condition. for example, if ca key cannot be read a passphrase prompt will be issued. 

feeding empty passphrase will workaround this for now.
Comment 3 Jiri Belka 2016-01-22 04:55:18 EST
ok, rhevm-backend-3.6.2.6-0.1.el6.noarch

# sed -n '/ssh-keygen \\/,/^$/p'  /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh 
                ssh-keygen \
                        -s "${TMPCA}" \
                        -P "" \
                        -I "${id}" \
                        ${host:+-h} \
                        -V "-1h:+${days}d" \
                        ${principals:+${principal_arg} "${principals}"} \
                        $(printf "${options}" | xargs -ix -d',' echo -O x) \
                        "${sshpub}" \
                        || die "ssh-keygen failed"
        ) || die "Cannot sign ssh certificate"
}

[root@jb-rhevm36 tmp]# ssh-keygen -y -f /etc/pki/ovirt-engine/keys/engine_id_rsa 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/duIBjjAet3mGfKa+aFv1aU9Vc4Blb6sDSjRGP5NtpLPbZNvDnFDchRF0AG6s6jYNvo2FnA9rfZpLCOr03pVHbQ6hyO6PJdJWFzPyxwi36kpkboftj5jCLUeI05Wxz346SRGw27OKEHtraPgfoXYm6Kq0tbAShT8aAvT9fp5AHAPCkLNmiViS7GIqDWoy+WQK9TiNJrvW+5mFvEug5dnqgZqsf8S1NJp5wWVWlA4IAS20qDo9H/U2/K47bSO45UE98rrELBwmLE5RraRKXbQtLiZPpYbaDx068wdbKpAYuZ29AWl3p//R3aY+tU2+3mnCpb6ojykJI25NQBtT3moX
[root@jb-rhevm36 tmp]# ls -l /etc/pki/ovirt-engine/keys/engine_id_rsa 
-rw-------. 1 root root 1828 Aug 17 13:37 /etc/pki/ovirt-engine/keys/engine_id_rsa

if there would be passphrase, 'ssh-keygen -y -f' would prompt for one.

Note You need to log in before you can comment on or make changes to this bug.