SSSD / sssd

Clone

#2349 public key validator is too strict and does not allow newlines anywhere in the public key string, not even at the end
Closed: Fixed None Opened 5 years ago by jhrozek.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1104145

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:

public key validator is too strict and does not allow newlines anywhere in the
public key string, not even at the end.

How reproducible:
Always

Steps to Reproduce:
1. Add the following in sssd.conf:

ldap_user_ssh_public_key = extensionAttribute5  <<-- windows attribute in our
case

2. Add following in /etc/ssh/sshd_config

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys


Actual results:

/usr/bin/sss_ssh_authorizedkeys --debug 10 <username>
[/usr/bin/sss_ssh_authorizedkeys] [main]
(0x0040): sss_ssh_format_pubkey() failed (22): Invalid argument

Expected results:
Should acquires SSH public keys for user USER and outputs them in OpenSSH
authorized_keys format.


Additional info:

# ldapsearch -LLL -H ldap://REDACTED -b dc=REDACTED
'(&(objectClass=User)(extensionAttribute5=*))' dn samaccountname
extensionAttribute5

SASL/GSSAPI authentication started
SASL username: REDACTED
SASL SSF: 56
SASL data security layer installed.
dn:: Q049U8O4cnNkYWhsIExhcnMgUHJlYmVuIChRNU4pLE9VPVVzZXJzLE9VPVNUQixPVT1DdXN0b
 21lcnMsREM9c3RiLERDPWxvY2Fs
sAMAccountName: Q5N
extensionAttribute5:: c3NoLWRzcyBBQUFBQjNOemFDMWtjM01BQUFDQkFJMFQxK01hRkQyNHRo
 aDFlYTZKemUxV0djQWZDdzFXTVVxNC9WYS9MSkl6NGovSFR1ZWI4aTFLeE9MR1ZVZ3pqaEMvQkx3d
 FdxclRGdG9oS0dkZjFVbCtDLy9xNTdOOHE5cHoxM1JybEFTczZ5SWFOODRaME1kdGdzMmV1VE1aNH
 Q0QUVkak82UUxSSENndXJXWlNGMXVmeWYyWGpXYWl0MVJRRVgxWGRnMnJBQUFBRlFEcE53UGFHTlU
 zU1Jrc2FGSVFwalNya3VrSEN3QUFBSUEzUTBoK2puWHlRc2ordlQ4U1dRNWNSbStXZmx3YUh3S3lI
 ZHhJSlVUUWVncTEydW9uM0t3UkRxQm8vRU5leG5iZFV4SGxDQ1BGMit4eEpPNlJiLzJOeFFQaERoY
 Up1eDgwTEJqVHord3ZEVmhQMFl4ZStuM3pQRXNkQU4zQm5WVkR2am85RWdiUmJIeXFoTE5yenNWWD
 BjbnVVNkhSWkpiNkFBbVpxQmtsOVFBQUFJQmdYUkdmdUtZZWFZTTQ3aDcyWEVJRTlJZGRvMzRhbWh
 XaC9YWW0wWml6R1VGUUxLclZGOEJIa2Z3bjJDa0hTOE94VU9VVmNwWkxFcDlPbUNHTm10QXVaNkpQ
 aWYrTTIyUHpGNEhSbys4ZWlXNWVEY21tTjNlN0FhNzQzQm5nUFlqb3JzbTNJa0dhcndrVGtGbWhvd
 VZjd0doOUVpcDNtclQ3aGlOa2xaZG9ZUT09IHE1bkBzdG9yZWJyYW5kLm5vCg==

 -- >  ssh-debug

the public key validator is too strict and does not allow newlines anywhere in
the public key string, not even at the end.

output: invalid argument

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
description: Ticket was cloned from Red Hat Bugzilla (product ''Red Hat Enterprise Linux 6''): [https://bugzilla.redhat.com/show_bug.cgi?id=1104145 Bug 1104145]

''Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.''

{{{
Description of problem:

public key validator is too strict and does not allow newlines anywhere in the
public key string, not even at the end.

How reproducible:
Always

Steps to Reproduce:
1. Add the following in sssd.conf:

ldap_user_ssh_public_key = extensionAttribute5 <<-- windows attribute in our
case

  1. Add following in /etc/ssh/sshd_config

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

Actual results:

/usr/bin/sss_ssh_authorizedkeys --debug 10 <username>
[/usr/bin/sss_ssh_authorizedkeys] [main]
(0x0040): sss_ssh_format_pubkey() failed (22): Invalid argument

Expected results:
Should acquires SSH public keys for user USER and outputs them in OpenSSH
authorized_keys format.

Additional info:

ldapsearch -LLL -H ldap://stb.local -b dc=stb,dc=local

'(&(objectClass=User)(extensionAttribute5=*))' dn samaccountname
extensionAttribute5

SASL/GSSAPI authentication started
SASL username: REDACTED
SASL SSF: 56
SASL data security layer installed.
dn:: Q049U8O4cnNkYWhsIExhcnMgUHJlYmVuIChRNU4pLE9VPVVzZXJzLE9VPVNUQixPVT1DdXN0b
21lcnMsREM9c3RiLERDPWxvY2Fs
sAMAccountName: Q5N
extensionAttribute5:: c3NoLWRzcyBBQUFBQjNOemFDMWtjM01BQUFDQkFJMFQxK01hRkQyNHRo
aDFlYTZKemUxV0djQWZDdzFXTVVxNC9WYS9MSkl6NGovSFR1ZWI4aTFLeE9MR1ZVZ3pqaEMvQkx3d
FdxclRGdG9oS0dkZjFVbCtDLy9xNTdOOHE5cHoxM1JybEFTczZ5SWFOODRaME1kdGdzMmV1VE1aNH
Q0QUVkak82UUxSSENndXJXWlNGMXVmeWYyWGpXYWl0MVJRRVgxWGRnMnJBQUFBRlFEcE53UGFHTlU
zU1Jrc2FGSVFwalNya3VrSEN3QUFBSUEzUTBoK2puWHlRc2ordlQ4U1dRNWNSbStXZmx3YUh3S3lI
ZHhJSlVUUWVncTEydW9uM0t3UkRxQm8vRU5leG5iZFV4SGxDQ1BGMit4eEpPNlJiLzJOeFFQaERoY
Up1eDgwTEJqVHord3ZEVmhQMFl4ZStuM3pQRXNkQU4zQm5WVkR2am85RWdiUmJIeXFoTE5yenNWWD
BjbnVVNkhSWkpiNkFBbVpxQmtsOVFBQUFJQmdYUkdmdUtZZWFZTTQ3aDcyWEVJRTlJZGRvMzRhbWh
XaC9YWW0wWml6R1VGUUxLclZGOEJIa2Z3bjJDa0hTOE94VU9VVmNwWkxFcDlPbUNHTm10QXVaNkpQ
aWYrTTIyUHpGNEhSbys4ZWlXNWVEY21tTjNlN0FhNzQzQm5nUFlqb3JzbTNJa0dhcndrVGtGbWhvd
VZjd0doOUVpcDNtclQ3aGlOa2xaZG9ZUT09IHE1bkBzdG9yZWJyYW5kLm5vCg==

-- > ssh-debug

the public key validator is too strict and does not allow newlines anywhere in
the public key string, not even at the end.

output: invalid argument
}}} => Ticket was cloned from Red Hat Bugzilla (product ''Red Hat Enterprise Linux 6''): [https://bugzilla.redhat.com/show_bug.cgi?id=1104145 Bug 1104145]

''Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.''

{{{
Description of problem:

public key validator is too strict and does not allow newlines anywhere in the
public key string, not even at the end.

How reproducible:
Always

Steps to Reproduce:
1. Add the following in sssd.conf:

ldap_user_ssh_public_key = extensionAttribute5 <<-- windows attribute in our
case

  1. Add following in /etc/ssh/sshd_config

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

Actual results:

/usr/bin/sss_ssh_authorizedkeys --debug 10 <username>
[/usr/bin/sss_ssh_authorizedkeys] [main]
(0x0040): sss_ssh_format_pubkey() failed (22): Invalid argument

Expected results:
Should acquires SSH public keys for user USER and outputs them in OpenSSH
authorized_keys format.

Additional info:

ldapsearch -LLL -H ldap://REDACTED -b dc=REDACTED

'(&(objectClass=User)(extensionAttribute5=*))' dn samaccountname
extensionAttribute5

SASL/GSSAPI authentication started
SASL username: REDACTED
SASL SSF: 56
SASL data security layer installed.
dn:: Q049U8O4cnNkYWhsIExhcnMgUHJlYmVuIChRNU4pLE9VPVVzZXJzLE9VPVNUQixPVT1DdXN0b
21lcnMsREM9c3RiLERDPWxvY2Fs
sAMAccountName: Q5N
extensionAttribute5:: c3NoLWRzcyBBQUFBQjNOemFDMWtjM01BQUFDQkFJMFQxK01hRkQyNHRo
aDFlYTZKemUxV0djQWZDdzFXTVVxNC9WYS9MSkl6NGovSFR1ZWI4aTFLeE9MR1ZVZ3pqaEMvQkx3d
FdxclRGdG9oS0dkZjFVbCtDLy9xNTdOOHE5cHoxM1JybEFTczZ5SWFOODRaME1kdGdzMmV1VE1aNH
Q0QUVkak82UUxSSENndXJXWlNGMXVmeWYyWGpXYWl0MVJRRVgxWGRnMnJBQUFBRlFEcE53UGFHTlU
zU1Jrc2FGSVFwalNya3VrSEN3QUFBSUEzUTBoK2puWHlRc2ordlQ4U1dRNWNSbStXZmx3YUh3S3lI
ZHhJSlVUUWVncTEydW9uM0t3UkRxQm8vRU5leG5iZFV4SGxDQ1BGMit4eEpPNlJiLzJOeFFQaERoY
Up1eDgwTEJqVHord3ZEVmhQMFl4ZStuM3pQRXNkQU4zQm5WVkR2am85RWdiUmJIeXFoTE5yenNWWD
BjbnVVNkhSWkpiNkFBbVpxQmtsOVFBQUFJQmdYUkdmdUtZZWFZTTQ3aDcyWEVJRTlJZGRvMzRhbWh
XaC9YWW0wWml6R1VGUUxLclZGOEJIa2Z3bjJDa0hTOE94VU9VVmNwWkxFcDlPbUNHTm10QXVaNkpQ
aWYrTTIyUHpGNEhSbys4ZWlXNWVEY21tTjNlN0FhNzQzQm5nUFlqb3JzbTNJa0dhcndrVGtGbWhvd
VZjd0doOUVpcDNtclQ3aGlOa2xaZG9ZUT09IHE1bkBzdG9yZWJyYW5kLm5vCg==

-- > ssh-debug

the public key validator is too strict and does not allow newlines anywhere in
the public key string, not even at the end.

output: invalid argument
}}}

design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

owner: somebody => jcholast
patch: 0 => 1
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.7

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jcholast
- Issue set to the milestone: SSSD 1.11.7
2 years ago

Login to comment on this ticket.

Metadata
None
None
None
major
defect
SSSD
None
0
None
1
https://bugzilla.redhat.com/show_bug.cgi?id=1104145
0
0
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.8.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© 2014-2019 Red Hat, Inc. and others.