[jira] [Commented] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16782067#comment-16782067
]
Julien Nicoulaud commented on GUACAMOLE-745:
Looks like libssh2 supports it [this
commit|https://github.com/libssh2/libssh2/commit/03092292597ac601c3f9f0c267ecb145dda75e4e],
but it is not released yet.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Major
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16782129#comment-16782129
]
Nick Couchman commented on GUACAMOLE-745:
-
{quote}
Looks like libssh2 supports it since this commit, but it is not released yet.
{quote}
Since it's a libssh2 issue, I don't know that there's any point in keeping this
particular JIRA issue opened - if libssh2 supports it, then I doubt anything
special will have to be done in Guacamole to gain that support. For the Docker
images, we'll have to wait until libssh2 libraries are released for the Debian
Stable images before it can be integrated there. All of these I consider
"upstream" issues.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16782165#comment-16782165
]
Julien Nicoulaud commented on GUACAMOLE-745:
I believe modifications are required in guacd to support it, [this
code|https://github.com/apache/guacamole-server/blob/master/src/common-ssh/key.c#L53]
requires the key to start with either {{-BEGIN RSA PRIVATE KEY-}} or
{{-BEGIN DSA PRIVATE KEY-}} and rejects anything else. The new format
headers is {{-BEGIN OPENSSH PRIVATE KEY-}}, I can see RFC4716 mentions
another format {{ BEGIN SSH2 PUBLIC KEY }}
(https://tools.ietf.org/html/rfc4716#section-3.2). So I am not sure how this
should be parsed, but it looks like the current method is too restrictive.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1678#comment-1678
]
Nick Couchman commented on GUACAMOLE-745:
-
Fair point. We'll leave this open and we can add support for the new header
formats.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16919861#comment-16919861
]
Charles LeConte Cathey commented on GUACAMOLE-745:
--
Like [~nicoulaj], I agree that the modifications to the format headers are
necessary. I notice that this is listed as a Minor improvement but it
prohibits the use of FIPS=1 enabled hosts to generate -BEGIN RSA PRIVATE
KEY- keys (PKCS#1 vs PKCS#8 keys). This is presently blocking some of our
progress using 1.0.0. I see the ticket is unassigned. Has anyone already
worked this? If not we may take it on.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16919898#comment-16919898
]
Nick Couchman commented on GUACAMOLE-745:
-
[~catheyc]: It's minor because the number of people demanding it is low,
relatively speaking. The project has other things that have bubbled to the top
to focus on.
We would welcome your contributions if it's something you or someone on your
team would like to help with - I love closing out tasks/issues, so I certainly
wouldn't turn down the help :-). Contribution guidelines, including style
guidelines, are on the web site, here: http://guacamole.apache.org/open-source/.
Thanks!!
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17191235#comment-17191235
]
Victor Sundin commented on GUACAMOLE-745:
-
I got so fed up with this, but finally got it working without the use of the
ssh-keygen utility
The commands below will get you the correct headers
{code:java}
KEYFILE=~/.ssh/{code}
{code:java}
openssl genrsa -out ${KEYFILE} 2048{code}
{code:java}
ssh-keygen -y -f ${KEYFILE} > ${KEYFILE}.pub
{code}
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17256089#comment-17256089
]
Nick Couchman commented on GUACAMOLE-745:
-
Digging into this issue and GUACAMOLE-746 a little more, it looks like the
changes are going to be a bit more involved than just allowing another header
format - currently the code uses the header to detect the type of key (RSA,
DSA, etc.); however, it appears that generating an OpenSSH key in either RSA
format or ED25519 format both result in the new header "BEGIN OPENSSH PRIVATE
KEY" - the header is no longer a valid indication of the key format. This means
our code is likely going to have to loop through supported formats and attempt
to load the key, or we're going to have to have an option for the user to
specify the key format.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17256144#comment-17256144
]
Mike Jumper commented on GUACAMOLE-745:
---
For OpenSSH itself to be able to read these keys, there's likely some way that
it identifies the type beyond simply brute forcing through all supported types.
Decoding generated keys with base64, I see "ssh-ed25519" in the content of the
key for the {{-t ed25519}} one and "ssh-rsa" for the {{-t rsa}} one. Perhaps
this format is documented and our code just needs to do a bit more for OpenSSH
keys?
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17256146#comment-17256146
]
Mike Jumper commented on GUACAMOLE-745:
---
I wonder if perhaps libssh would magically support this without us having to
manually parse provided keys.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-745) Add support for OpenSSH private key format
[
https://issues.apache.org/jira/browse/GUACAMOLE-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17256169#comment-17256169
]
Nick Couchman commented on GUACAMOLE-745:
-
{{quote}}
Perhaps this format is documented and our code just needs to do a bit more for
OpenSSH keys?
{{quote}}
Yeah, i was also looking at some of the OpenSSL functions for this, and there
seems to be a more generic `PEM_read_bio_PrivateKey()` function that reads more
generically and perhaps can be combined with other functions to determine the
type of the key on-the-fly?
{{quote}}
I wonder if perhaps libssh would magically support this without us having to
manually parse provided keys.
{{quote}}
That would be lovely - it does seem like something that would be implemented in
a client library, though apparently libssh2 doesn't do it. Or maybe it does,
but the documentation on public key authentication for libssh2 is missing :-(.
I was also looking at possible ways to use the Passphrase Callback prompt the
user for a private key passphrase rather than requiring it be specified in the
configuration, particularly now that we have parameter prompting included. This
would pave the way for user-specific private keys as mentioned in a different
JIRA issue.
> Add support for OpenSSH private key format
> --
>
> Key: GUACAMOLE-745
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-745
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd, SSH
> Environment: Docker official images 1.0.0
>Reporter: Julien Nicoulaud
>Priority: Minor
>
> Since OpenSSH 7.8, {{ssh-keygen}} does not generate keys in PEM format by
> default anymore: [https://www.openssh.com/txt/release-7.8]
> Attempting to use keys in the new format in Guacamole does not work, and does
> not print any helpful error message even in debug mode:
> {code:java}
> guacd_1 | guacd[296]: DEBUG: Attempting private key import
> (WITHOUT passphrase)
> guacd_1 | guacd[296]: DEBUG: Initial import failed: (null)
> guacd_1 | guacd[296]: DEBUG: Re-attempting private key import
> (WITH passphrase)
> guacd_1 | guacd[296]: ERROR: Auth key import failed: (null){code}
> It would be nice if keys in OpenSSH new format were supported. At least a
> more helpful error message should be printed (like "unrecognized key format").
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
