Bug 1911803 - [Assisted-4.6] [Staging] No BE validation for SSH key when generating an ISO
Summary: [Assisted-4.6] [Staging] No BE validation for SSH key when generating an ISO
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: assisted-installer
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.7.0
Assignee: vemporop
QA Contact: Yuri Obshansky
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-12-31 11:36 UTC by Lital Alon
Modified: 2021-03-10 11:24 UTC (History)
4 users (show)

Fixed In Version: OCP-Metal-v1.0.17.1
Doc Type: Bug Fix
Doc Text:
Cause: SSH public key validation was not applied when using the generate ISO API. Consequence: Malformed SSH public keys were accepted without returning an error, eventually causing failures during cluster installation. Fix: Apply in the generate ISO API the same SSH public key validation we use in the create cluster API. Result: A malformed SSH public key is rejected with an error message.
Clone Of:
Environment:
Last Closed: 2021-03-10 11:24:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0678 0 None None None 2021-03-10 11:24:36 UTC

Description Lital Alon 2020-12-31 11:36:04 UTC 
Description of problem:
I mistakenly used malformed SSH key to generate ISO. 
The issue is that ISO generated successfully. I expected to get error from BE explaining that the ssh key is malformed.

Got Error from BE only when tried to apply the SSH key also on cluster settings.

I used the following key (which is missing the footer):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5g7Ry8t2G00eBaJpWRJmuLqw369dkHmxLlDwxm8mVuRaDifsRQs2Kvx3zIODcVJQy0xbKatcBWUopoHUs+xrbImU3TL0mCsZnnEWbqY0H22a6lVJ9bA2oSJsZnvk6XLnC+r042oWKaluJ1sqMyoxtx2lTgTro52fvCKcLGeBOccNOLoTyM3pWzBd/3WXg2LRyekLBYxDCh8Vf8JjWby1udbauiuGKpj7ZckmL9NzHZnYLakSuj1eYHtclF/s29fyRnciGcW5axNg+XwEioOA5pCPzlYoK/WR9n/slOZvWPBWZb8KcNfmAtAzhVvzVQX19ta6PNnst9etWbMksqqj

Version-Release number of selected component (if applicable):
v1.0.14.1

Steps to Reproduce:
1. generate iso with malformed ssh key


Actual results:
ISO generated successfully

Expected results:
Error displays explaining the ssh key is malformed
Comment 1 Michael Filanov 2020-12-31 16:41:17 UTC 
vemporop itsoiref some how it passed our ssh validation, can one of you take a look?
Comment 2 Michael Filanov 2020-12-31 16:42:31 UTC 
@itsoiref @vemporop
Comment 3 Michael Filanov 2021-01-05 07:37:46 UTC 
cat key.txt 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5g7Ry8t2G00eBaJpWRJmuLqw369dkHmxLlDwxm8mVuRaDifsRQs2Kvx3zIODcVJQy0xbKatcBWUopoHUs+xrbImU3TL0mCsZnnEWbqY0H22a6lVJ9bA2oSJsZnvk6XLnC+r042oWKaluJ1sqMyoxtx2lTgTro52fvCKcLGeBOccNOLoTyM3pWzBd/3WXg2LRyekLBYxDCh8Vf8JjWby1udbauiuGKpj7ZckmL9NzHZnYLakSuj1eYHtclF/s29fyRnciGcW5axNg+XwEioOA5pCPzlYoK/WR9n/slOZvWPBWZb8KcNfmAtAzhVvzVQX19ta6PNnst9etWbMksqqj

ssh-keygen -l -f key.txt 
key.txt is not a public key file.

Maybe we can run a similar tool or find a code that do the same?
Comment 4 vemporop 2021-02-22 09:55:36 UTC 
Fixed by https://github.com/openshift/assisted-service/pull/1136
Comment 6 Igal Tsoiref 2021-03-02 15:33:46 UTC 
no new info from my side
Comment 7 mchernyk 2021-03-03 15:12:57 UTC 
Verified on stage env, 
AI release_tag	v1.0.17.1
Comment 8 Lital Alon 2021-03-03 21:12:16 UTC 
MR for automation coverage: https://gitlab.cee.redhat.com/ocp-edge-qe/kni-assisted-installer-auto/-/merge_requests/132
Comment 10 errata-xmlrpc 2021-03-10 11:24:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.1 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0678
Note You need to log in before you can comment on or make changes to this bug.