[Cryptography-dev] ssh public key processing

[Paul Kehrer]

Hi Chris,

I don't think we've tried to specifically bound it. In general the
assumption has been that the keys it loads would be OpenSSH public keys in
the form that you get from an "id_rsa.pub" file (for example).

What do the options look like? Are they put into the line at the end as
comments?

-Paul (reaperhulk)

On August 18, 2016 at 8:15:16 AM, Chris Hines (chris.hines at monash.edu)
wrote:

Hi List,
I have a question about the function
cryptography.hazmat.primatives.serialization.load_ssh_public_key

Basically is the function inteornded to load only the public key or is it
intended that it be able to process any like out of an authorized_keys_file

Source code shows that the function is prepared to strip of the key-type
(eg ssh-rsa) and use it for comparison against the inner_key_type but is
not prepared to strip off any options that can be passed in an
authorized_keys file (For example SSH_FORCE_COMMAND or no-port-forwarding).

I ask because the downstream project OpenStack Nova uses
load_ssh_public_key to verify contents intended for authorized_keys is
valid. Its easy enough to remove ssh options in Nova before passing to
load_ssh_public_key, but I though if load_ssh_public_key already deals with
the key-type header, perhaps it should also deal with the other options.

I can create issues and merge requests if that is helpful, just looking for
clarification on the intention (i.e. does load_ssh_public_key load contents
intended for authorized_keys or just the public key part)

Cheers,
--
Chris
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev at python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20160818/d4434ea7/attachment.html>