Correctly load openssh-gerenated private keys in SSHHook #16756
Conversation
When Paramiko loads an openssh-generated RSA private key it would happily "parse" it as valid a DSS key, only to fail at first use. This commit fixes the problem in two ways: 1. It re-orders the list to move DSA to the last format to be tried (which is now not widely used) 2. Attempts to "use" the key by signing some data, causing it to be checked early.
| 'rsa': paramiko.RSAKey, | ||
| } | ||
| # List of classes to try loading private keys as, ordered (roughly) by most common to least common | ||
| _pkey_loaders = ( |
There was a problem hiding this comment.
We were never using the keys of this dict, so I changed it to just a list anyway.
| paramiko.RSAKey, | ||
| paramiko.ECDSAKey, | ||
| paramiko.Ed25519Key, | ||
| paramiko.DSSKey, |
| key = pkey_class.from_private_key(StringIO(private_key), password=passphrase) | ||
| # Test it acutally works. If Paramiko loads an openssh generated key, sometimes it will | ||
| # happily load it as the wrong type, only to fail when actually used. | ||
| key.sign_ssh_data(b'') |
| # Paramiko behaves differently with OpenSSH generated keys to paramiko | ||
| # generated keys, so we need a test one. | ||
| # This has been gernerated specifically to put here, it is not otherwise in use | ||
| TEST_OPENSSH_PRIVATE_KEY = "-----BEGIN OPENSSH " + textwrap.dedent( |
There was a problem hiding this comment.
The string is split here here is to avoid the "no private keys" precommit check.
|
/cc @ecerulm |
github-actions
bot
added
the
okay to merge
|
The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest main or amend the last commit of the PR, and push it with --force-with-lease. |
|
While using rsa key in pem format, ssh hook seem to expect ed25519 type of key as highlighted. rsa keys were working fine earlier and started having issue from last few months. Is there something recently changed? Traceback (most recent call last): |
When Paramiko loads an openssh-generated RSA private key it would
happily "parse" it as valid a DSS key, only to fail at first use.
This commit fixes the problem in two ways:
(which is now not widely used)
checked early.
Closes #16738
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.