Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Keychain requires public key to always be private key plus ".pub" #3

Closed
cbutterfield opened this Issue · 5 comments

3 participants

@cbutterfield

In my environment, we generally use a suffix for ALL PKI related files, including the private key (e.g. .pub, .pem, .ppk, etc). This confuses keychain which spits out a warning and then fails.

My first take at fixing this on my system was to add additional logic to strip off the last file suffix if the first approach failed. This seemed okay for my purposes, and perhaps others too. But perhaps it would be more robust to match on either a signature OR a filename, so that regardless of the name (or even existance) of the public key, one could still proceed reasonably. Comments?

@funtoo

This is not a feature that I personally need, so really you need to let me know what behavior would work best for you.

@cbutterfield

I tried several approaches to locating the pub file which were easy in bash, but which I wasn't too sure how to convert to "lowest common denominator" Borne shell syntax. Eventually I realized it might be simpler and more robust to add the full filename to the list of fingerprints, while suppressing the warning about "can't find pub file".

I noticed existing code that used basenames, but that seemed more subject to error if keys from different directories shared the same basename. I did NOT attempt to change the existing basename-centric code. Perhaps that should be done too, if this approach seems suitable for inclusion in the repo.

So here are diffs for your consideration:

$ diff -c keychain ORIG/
*** keychain 2010-08-19 15:58:34.062500000 -0400
--- ORIG//keychain 2006-11-08 23:58:06.001000000 -0500


*** 926,938 ****
# md5 1024 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 /home/barney/.ssh/id_dsa(DSA)
# 2048 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 /home/barney/.ssh/id_rsa.pub
echo "$ef_line" | cut -f3 -d' '

  • echo "$ef_line" | cut -f4 -d' ' # include filename as backoff ;; \ [0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:) # The more consistent OpenSSH format, we hope # 1024 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 /home/barney/.ssh/id_dsa (DSA) echo "$ef_line" | cut -f2 -d' '
  • echo "$ef_line" | cut -f3 -d' ' # include filename as backoff ;; ) # Fall back to filename. Note that commercial ssh is handled --- 926,936 ---- ************** *** 1012,1020 **** sf_filename="$1" if $openssh || $sunssh; then if [ ! -f "$sf_filename.pub" ]; then ! #warn "$sf_filename.pub missing; can't tell if $sf_filename is loaded" ! echo $sf_filename ! return 0 fi sf_fing=ssh-keygen -l -f "$sf_filename.pub" || return 1 echo "$sf_fing" | extract_fingerprints --- 1010,1017 ---- sf_filename="$1" if $openssh || $sunssh; then if [ ! -f "$sf_filename.pub" ]; then ! warn "$sf_filename.pub missing; can't tell if $sf_filename is loaded" ! return 1 fi sf_fing=ssh-keygen -l -f "$sf_filename.pub" || return 1 echo "$sf_fing" | extract_fingerprints
@cbutterfield

OOPS, clearly I screwed the editor pooch. Funny, I can't seem to see any description of the syntax (surely its right in front of me). So I stuck the diffs in pastebin: http://pastebin.com/jy8cCY3G

@danielrobbins

This issue has been imported into the Funtoo Linux bug tracker! :) Follow the action here: https://bugs.funtoo.org/browse/FL-1998

@danielrobbins

This issue has been resolved in the Funtoo Linux bug tracker. Closing on GitHub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.