[Nix-dev] Possible bug in ssh key module

Wout Mertens wout.mertens at gmail.com
Tue May 12 22:51:41 CEST 2015


The build could run a quick check to see if ssh-keygen can read the
file? `ssh-keygen
-l -f filename` will return an error if it can't read a key in the file (it
only checks the first key)

On Tue, May 12, 2015 at 10:33 AM Christian Theune <ct at flyingcircus.io>
wrote:

> Hi,
>
> correct me if I’m wrong but SSH keys do not have a strong syntax, and
> aside from “there’s less than <ssh-rsa…><space><somethingnonspace> there
> isn’t much you can check for.
>
> Specifically as the comment field can contain pretty much anything and you
> can’t check the key data for validity on a semantic basis AFAIK.
>
> Christian
>
> On 12 May 2015, at 10:27, Tomasz Kontusz <tomasz.kontusz at gmail.com> wrote:
>
> Oops, replied to the wrong address.
>
> ------------------------------
> *Od:* Tomasz Kontusz <tomasz.kontusz at gmail.com>
> *Wysłane:* Tue May 12 10:25:21 CEST 2015
> *Do:* Anand Patil <anand.prabhakar.patil at gmail.com>
> *Temat:* Re: [Nix-dev] Possible bug in ssh key module
>
> It would still be nice if the middle yelled at you instead of using
> obviously wrong inputs.
>
> Actually, is there any practice already in place for this kind of checks?
> Like how picky should they be, and should they be overridable
>
> Anand Patil <anand.prabhakar.patil at gmail.com> napisał:
>>
>> Hi Bas, yep, it was just that. Sorry for the false alarm.
>>
>> Thanks,
>> Anand
>>
>> On Mon, May 11, 2015 at 12:52 AM, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
>>
>>> On 11 May 2015 at 04:45, Anand Patil <anand.prabhakar.patil at gmail.com> wrote:
>>>
>>>> Hi everyone,
>>>>
>>>>
>>>> Just wanted to point out a small possible bug in NixOS version
>>>> 15.05pre61966.75ebc3c (Dingo). I noticed that when I add an
>>>> authorizedKeys option to my user like so:
>>>>
>>>> openssh.authorizedKeys.keys = [ "ssh-rsa stuff" ];
>>>>
>>>> the contents of /etc/ssh/authorized_keys.d/anand look like
>>>>
>>>> ssh-rsa
>>>> stuff
>>>>
>>>> with a newline after the "ssh-rsa",
>>>
>>>
>>> Hi Anand,
>>>
>>> The
>>> implementation looks correct. It only adds newlines between the keys:
>>>
>>> https://github.com/NixOS/nixpkgs/blob/75ebc3cf1dc1365be5a05018fc8e5409c66025cb/nixos/modules/services/networking/ssh/sshd.nix#L55
>>>
>>> Are you sure your string doesn't contain a newline? Maybe your text
>>> editor added a newline when it wrapped the string.
>>>
>>> Bas
>>>
>> ------------------------------
>>
>> nix-dev mailing list
>> nix-dev at lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>>
> --
> Wysłane za pomocą K-9 Mail.
> --
> Wysłane za pomocą K-9 Mail.
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
>> Christian Theune · ct at flyingcircus.io · +49 345 219401 0
> Flying Circus Internet Operations GmbH · http://flyingcircus.io
> Forsterstraße 29 · 06112 Halle (Saale) · Deutschland
> HR Stendal HRB 21169 · Geschäftsführer: Christian. Theune, Christian.
> Zagrodnick
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150512/d58a8d01/attachment-0001.html 


More information about the nix-dev mailing list