Bug 840657 - sshpubkey not accepting ssh keys in the right format for user
sshpubkey not accepting ssh keys in the right format for user
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.4
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-16 16:22 EDT by Namita Soman
Modified: 2013-02-21 04:16 EST (History)
4 users (show)

See Also:
Fixed In Version: ipa-3.0.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Identity Management SSH capabilities allows storage of public user or host SSH keys. However, the keys did not accept OpenSSH-style public key format, i.e. public key type, public key and a comment, but only the public key blob. Consequence: Identity Management had to guess public key type based on the public key blob, which could have potentially caused an issue in future with new public key types. A comment attached to the public key may be also essential for some deployments. Fix: Store SSH public keys in extended OpenSSH format. Result: Stored SSH public keys now contain all required parts, thus making the functionality acceptable in more deployments.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:16:49 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Namita Soman 2012-07-16 16:22:45 EDT
Description of problem:
When adding ssh keys for the user, can add the key, the type is recognized correctly to be ssh-rsa or ssh-dss. But the comments cannot be saved with the keys. 

Should be able to add shh key with all 3 parts of the file - 
# ipa user-mod one --sshpubkey="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHcTZHojrZgZmDSOCYbJjiU06jdPQM70KZnw9gdLh1+pyPR+YuEhSBMIj2ObcUs5yffq8RtTre/WIf9Mj/klY462MnPO89TxLCsSGUKcK+WCeoVQxUrwz6IYXc/IwKcd8sNg9qpjpxsXvoEt1cggMxrEBot4GekEn521VJENSjxnLFyoeS+rADTy5EMBRGw6rGAVwS6lF9id5JWF6NaJ6rtCKiMWJHX27l/2ryKY/2UqHco7sdpdsigZ4Ga+cO0hYZRLJuJlKXXo6GJgp1cvw9oAPMNJDxEC3eI6zIEYnkJdLGuYBzL0LW0j71GYDR3/96h6+YnnIw5XcLO3xwbts7 root@qe-blade-04.testrelm.com"
ipa: ERROR: invalid 'sshpubkey': must be binary data


Version-Release number of selected component (if applicable):
freeipa-server-2.99.0-0.20120711T1433Zgit14ac219.fc17.x86_64

How reproducible:
always

Steps to Reproduce:
1. add a user
2. ssh-keygen -t rsa and store to /home/one_rsa
3. cat /home/one_rsa.pub
4. ipa user-mod one --sshpubkey=<paste contents of /home/one_rsa.pub>
5. ipa user-show one
  
Actual results:
output for step 4: ipa: ERROR: invalid 'sshpubkey': must be binary data


Expected results:
for step 4 : sshpubkey should accept the 3 parts of the public key
worked around by using just the key (and not the encoding or comments) This is the expected format that administartor use/prefer

Also in UI - when all 3 parts can be added - the comments should also be displayed. Currently it displays the key - the encoding, but no comments - since it wasn't entered.

Additional info:
Comment 2 Rob Crittenden 2012-07-18 09:18:28 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2932
Comment 3 Rob Crittenden 2012-09-07 12:32:59 EDT
Fixed upstream.

master: 46ad724301e301d1bc96216b8873e704a37d35e3

ipa-3-0: 8a81d71b7856d1e40b99bd59757791bf7cf7dce2
Comment 5 Namita Soman 2012-11-24 17:27:55 EST
Verified using ipa-server-3.0.0-8.el6.x86_64

# ipa user-mod one --sshpubkey="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5TA9rtXU8T4a2Iq0NQ6tjT+zxGBADpw6ahfBumyXud5H83HZsRTDNANnjfR3gdzKaPBIoHiV/n5NjOMHIRTOEh8QoKXIuhfUczjaLqv72zQP+grBXtWrZT307hCeDi510YGc4Zll8+uUvMkKmVAt6YlR4SsX3bB5TtRQTvlaKMemON8xQkDIyZA419MFxMQ5KVAchXB+bHPe9uJwWCs6cwPGllgAgQTEEbRy/ffyhEl92gXm7/oK2PJo6cKOmA9Zer7VE9JNMMJUvj+EukKF36RVtkbUWSPupPUv4FX5S7Amfh2F7zAnVam0bBYfNEMS4rb3VRKsyJj2IJwY2agh4Q== root@ipaqavma.testrelm.com"
-------------------
Modified user "one"
-------------------
  User login: one
  First name: one
  Last name: onme
  Home directory: /home/one
  Login shell: /bin/sh
  Email address: one@testrelm.com
  UID: 1019800001
  GID: 1019800001
  Account disabled: False
  SSH public key: ssh-rsa
                  AAAAB3NzaC1yc2EAAAABIwAAAQEA5TA9rtXU8T4a2Iq0NQ6tjT+zxGBADpw6ahfBumyXud5H83HZsRTDNANnjfR3gdzKaPBIoHiV/n5NjOMHIRTOEh8QoKXIuhfUczjaLqv72zQP+grBXtWrZT307hCeDi510YGc4Zll8+uUvMkKmVAt6YlR4SsX3bB5TtRQTvlaKMemON8xQkDIyZA419MFxMQ5KVAchXB+bHPe9uJwWCs6cwPGllgAgQTEEbRy/ffyhEl92gXm7/oK2PJo6cKOmA9Zer7VE9JNMMJUvj+EukKF36RVtkbUWSPupPUv4FX5S7Amfh2F7zAnVam0bBYfNEMS4rb3VRKsyJj2IJwY2agh4Q==
                  root@ipaqavma.testrelm.com
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
  SSH public key fingerprint: 9A:05:35:E1:FF:82:E2:16:3E:AC:EA:D2:1C:A2:CC:35
                              root@ipaqavma.testrelm.com (ssh-rsa)


# ipa user-show one
  User login: one
  First name: one
  Last name: onme
  Home directory: /home/one
  Login shell: /bin/sh
  Email address: one@testrelm.com
  UID: 1019800001
  GID: 1019800001
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
  SSH public key fingerprint: 9A:05:35:E1:FF:82:E2:16:3E:AC:EA:D2:1C:A2:CC:35
                              root@ipaqavma.testrelm.com (ssh-rsa)
Comment 7 errata-xmlrpc 2013-02-21 04:16:49 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.