Bug 983038 - Can not git clone or ssh app via ecdsa type of ssh key
Can not git clone or ssh app via ecdsa type of ssh key
Status: CLOSED CURRENTRELEASE
Product: OpenShift Online
Classification: Red Hat
Component: Containers (Show other bugs)
2.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Hiro Asari
libra bugs
: UpcomingRelease
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-10 07:04 EDT by Wei Sun
Modified: 2015-05-14 19:23 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-22 11:23:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wei Sun 2013-07-10 07:04:35 EDT
Description of problem:
Check support key type via RESTAPI,ecdsa is listed  in the valid options.But after adding  ecdsa type key,failed to git clone the app and ssh to login the app.

Version-Release number of selected component (if applicable):
INT (devenv_3470)

How reproducible:
Always

Steps to Reproduce:
1.Check support key type via RESTAPI
2.Generate ecdsa type key
ssh-keygen -t ecdsa -b 256
3.Add ecdsa type key
4.Create the app and git clone the app
5.Ssh to log in the app

Actual results:
1.<description>Type of Key</description>
  <valid-options>
      <valid-option>ssh-rsa</valid-option>
      <valid-option>ssh-dss</valid-option>
      <valid-option>ecdsa-sha2-nistp256-cert-v01@openssh.com</valid-option>
      <valid-option>ecdsa-sha2-nistp384-cert-v01@openssh.com</valid-option>
      <valid-option>ecdsa-sha2-nistp521-cert-v01@openssh.com</valid-option>
      <valid-option>ssh-rsa-cert-v01@openssh.com</valid-option>
      <valid-option>ssh-dss-cert-v01@openssh.com</valid-option>
      <valid-option>ssh-rsa-cert-v00@openssh.com</valid-option>
      <valid-option>ssh-dss-cert-v00@openssh.com</valid-option>
      <valid-option>ecdsa-sha2-nistp256</valid-option>
      <valid-option>ecdsa-sha2-nistp384</valid-option>
      <valid-option>ecdsa-sha2-nistp521</valid-option>
   </valid-options>
3.openshift@openshift-ubuntu:~$ rhc sshkey add key1 .ssh/id_ecdsa.pub
RESULT:
SSH key .ssh/id_ecdsa.pub has been added as 'key1'

openshift@openshift-ubuntu:~$ rhc sshkey list
key1 (type: ecdsa-sha2-nistp256)
--------------------------------
  Fingerprint: cb:4c:94:a1:cd:e0:76:1f:9a:c4:91:d4:1b:f2:10:52
 
You have 1 SSH keys associated with your account.

4.openshift@openshift-ubuntu:~$ rhc app create app1 php-5.3
Application Options
-------------------
  Namespace:  lxia
  Cartridges: php-5.3
  Gear Size:  default
  Scaling:    no
 
Creating application 'app1' ... done
 
 
Your public SSH key must be uploaded to the OpenShift server to access code.  Upload now? (yes|no) no
 
You can upload your SSH key at a later time using the 'rhc sshkey' command
 
Waiting for your DNS name to be available ... done
 
Cloning into 'app1'...
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
fatal: The remote end hung up unexpectedly
Unable to clone your repository. Called Git with: git clone
ssh://51dd2cbe03ef64bf880002a1@app1-lxia.int.rhcloud.com/~/git/app1.git/ "app1"
 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING:  Your application was created successfully but had problems during
          configuration. Below is a list of the issues and steps you can
          take to complete the configuration of your application.
 
  Application URL: http://app1-lxia.int.rhcloud.com/
 
  Issues:
    1. We were unable to clone your application's git repo - Unable to clone your repository. Called Git with: git
clone ssh://51dd2cbe03ef64bf880002a1@app1-lxia.int.rhcloud.com/~/git/app1.git/ "app1"
 
  Steps to complete your configuration:
    1. Clone your git repo
      $ rhc git-clone app1
 
  If you continue to experience problems after completing these steps,
  you can try destroying and recreating the application:
 
    $ rhc app delete app1 --confirm
 
  Please contact us if you are unable to successfully create your
  application:
 
    Support - https://www.openshift.com/support
 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 
 
Your application 'app1' is now available.
 
  URL:        http://app1-lxia.int.rhcloud.com/
  SSH to:     51dd2cbe03ef64bf880002a1@app1-lxia.int.rhcloud.com
  Git remote: ssh://51dd2cbe03ef64bf880002a1@app1-lxia.int.rhcloud.com/~/git/app1.git/
 
Run 'rhc show-app app1' for more details about your app.
Expected results:

5.openshift@openshift-ubuntu:~$ ssh -v 51dd3ea86cec0e9d99000150@app1-lxia.int.rhcloud.com
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to app1-lxia.int.rhcloud.com [107.21.181.30] port 22.
debug1: Connection established.
debug1: identity file /home/openshift/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/openshift/.ssh/id_rsa-cert type -1
debug1: identity file /home/openshift/.ssh/id_dsa type -1
debug1: identity file /home/openshift/.ssh/id_dsa-cert type -1
debug1: identity file /home/openshift/.ssh/id_ecdsa type 3
debug1: Checking blacklist file /usr/share/ssh/blacklist.ECDSA-256
debug1: Checking blacklist file /etc/ssh/blacklist.ECDSA-256
debug1: identity file /home/openshift/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA cf:ee:77:cb:0e:fc:02:d7:72:7e:ae:80:c0:90:88:a7
debug1: Host 'app1-lxia.int.rhcloud.com' is known and matches the RSA host key.
debug1: Found key in /home/openshift/.ssh/known_hosts:33
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found

debug1: Next authentication method: publickey
debug1: Offering ECDSA public key: /home/openshift/.ssh/id_ecdsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Offering RSA public key: /home/openshift/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/openshift/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Additional info:
Comment 1 Hiro Asari 2013-07-16 16:42:21 EDT
To get the info shown in 1: curl -k -X GET https://openshift.redhat.com/broker/rest/user/keys -H "Accept: application/xml" --user "X:Y"

Looks like ECDSA key type is new, and supported only on OpenSSH 5.7 and later (see http://openbsd.das.ufsc.br/openssh/txt/release-5.7, for example).

devenv has OpenSSH 5.3p1:

[root@ip-10-147-212-182 ~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010

We need to either update OpenSSH or remove ECDSA from the supported key types.
Comment 2 Hiro Asari 2013-07-17 14:31:16 EDT
The list was gleaned from the 'ssh-keygen' man page and inserted into https://github.com/openshift/origin-server/blob/master/controller/app/models/ssh_key.rb

On F18 machine, 'ssh-keygen' cannot generate a key of this type, even though the man page does mention it:

$ ssh-keygen -t ecdsa -b 256
unknown key type ecdsa

Could QE confirm that this is our first test of ECDSA key type? (And that this is not a regression?)

Seeing that the server needs to declare which key types are accepted by sshd, it might be reasonable for the broker to decide which keys are accepted.
Comment 3 Hiro Asari 2013-07-17 17:09:09 EDT
OpenSSH distributed with RHEL/Fedora does not support ECDSA keys due to patent concerns (http://danielpocock.com/ussing-ecc-ecdsa-in-openssl-and-strongswan-fedora). So it is best to remove them from the relevant list.
Comment 5 openshift-github-bot 2013-07-17 20:50:25 EDT
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/671736a3bb3dcc4c3a391182c75eafa9cfb6e161
Merge pull request #3111 from pravisankar/dev/ravi/bug983038

Merged by openshift-bot
Comment 6 Meng Bo 2013-07-18 04:09:48 EDT
Checked on devenv_3519.   

When checking the supported ssh-key type via RESTAPI:
              <valid-options>
                <valid-option>ssh-rsa</valid-option>
                <valid-option>ssh-dss</valid-option>
                <valid-option>ssh-rsa-cert-v01@openssh.com</valid-option>
                <valid-option>ssh-dss-cert-v01@openssh.com</valid-option>
                <valid-option>ssh-rsa-cert-v00@openssh.com</valid-option>
                <valid-option>ssh-dss-cert-v00@openssh.com</valid-option>
              </valid-options>

When trying to add an ecdsa sshkey to my account:
# rhc sshkey-add ecdsa .ssh/id_ecdsa.pub 
Invalid key type.  Valid types are ssh-rsa, ssh-dss, ssh-rsa-cert-v01@openssh.com, ssh-dss-cert-v01@openssh.com, ssh-rsa-cert-v00@openssh.com,
ssh-dss-cert-v00@openssh.com


ecdsa key type has been removed from supported ssh key type list.

Move the bug to verified.

Note You need to log in before you can comment on or make changes to this bug.