[jbosstools-issues] [JBoss JIRA] (JBIDE-12016) OpenShift Wizard should warn if domain exists but there's no ssh key on local machine (domain was created in web ui)

Andre Dietisheim (JIRA) jira-events at lists.jboss.org
Fri Sep 7 08:48:32 EDT 2012 

    [ https://issues.jboss.org/browse/JBIDE-12016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12716606#comment-12716606 ] 

Andre Dietisheim edited comment on JBIDE-12016 at 9/7/12 8:46 AM:
------------------------------------------------------------------

To warn of possible issues before the cloning happens, 
I tried to find a way to verify keys on the local machine before the cloning happens. 
I was looking up code in apache mina sshd (which is an ssh daemon in java). What I found is pretty weird, it seems to only compare public keys on the server with public keys that were sent by the client:

User authorisation by public key:

Framework code in *Mina* calls a registered PublickeyAuthenticator (interface) to authenticate with public key:
http://svn.apache.org/repos/asf/mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/auth/UserAuthPublicKey.java :

{code}
PublickeyAuthenticator authenticator = session.getServerFactoryManager().getPublickeyAuthenticator();
...
if (!authenticator.authenticate(username, key, session)) {
   return false;
}
{code}

PublickeyAuthenticator in *Shelbie*: 
http://grepcode.com/file/repo1.maven.org/maven2/org.ow2.shelbie/shelbie-ssh-server/2.0.0-M1/org/ow2/shelbie/commands/ssh/server/internal/PublickeyAuthenticatorImpl.java#72 :

{code}
if(username.equals(hostKey.getUser())) {
  if (myHostKeys.contains(suppliedKey)
       || getPeerKeys().contains(suppliedKey)) {
           return true;
  }
}
return false;
{code}

or 

PublickeyAuthenticator in *Gerrit*: 
http://gerrit.googlecode.com/git-history/d2eaefa18a99ae4f246e86de61763755841c30ad/gerrit-sshd/src/main/java/com/google/gerrit/sshd/DatabasePubKeyAuth.java?r=d2eaefa18a99ae4f246e86de61763755841c30ad :

{code}
if (PeerDaemonUser.USER_NAME.equals(username)) {
   if (myHostKeys.contains(suppliedKey)
       || getPeerKeys().contains(suppliedKey)) {
     PeerDaemonUser user = peerFactory.create(sd.getRemoteAddress());
     return success(username, session, sd, user);
   } else {
     sd.authenticationError(username, "no-matching-key");
     return false;
   }
}
{code}
                
      was (Author: adietish):
    To warn of possible issues before the cloning happens, 
I tried to find a way to verify keys on the local machine before the cloning happens. 
I was looking up code in apache mina sshd (which is an ssh daemon in java). What I found is pretty weird, it seems to only compare public keys on the server with public keys that were sent by the client:

User authorisation by public key:

Mina (framework code that call a registered PublickeyAuthenticator to check against):
http://svn.apache.org/repos/asf/mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/auth/UserAuthPublicKey.java :

{code}
PublickeyAuthenticator authenticator = session.getServerFactoryManager().getPublickeyAuthenticator();
...
if (!authenticator.authenticate(username, key, session)) {
   return false;
}
{code}

PublickeyAuthenticator in Shelbie: http://grepcode.com/file/repo1.maven.org/maven2/org.ow2.shelbie/shelbie-ssh-server/2.0.0-M1/org/ow2/shelbie/commands/ssh/server/internal/PublickeyAuthenticatorImpl.java#72 :

{code}
if(username.equals(hostKey.getUser())) {
  if (myHostKeys.contains(suppliedKey)
       || getPeerKeys().contains(suppliedKey)) {
           return true;
  }
}
return false;
{code}

or 

PublickeyAuthenticator in Gerrit: http://gerrit.googlecode.com/git-history/d2eaefa18a99ae4f246e86de61763755841c30ad/gerrit-sshd/src/main/java/com/google/gerrit/sshd/DatabasePubKeyAuth.java?r=d2eaefa18a99ae4f246e86de61763755841c30ad :

{code}
if (PeerDaemonUser.USER_NAME.equals(username)) {
   if (myHostKeys.contains(suppliedKey)
       || getPeerKeys().contains(suppliedKey)) {
     PeerDaemonUser user = peerFactory.create(sd.getRemoteAddress());
     return success(username, session, sd, user);
   } else {
     sd.authenticationError(username, "no-matching-key");
     return false;
   }
}
{code}
                  
> OpenShift Wizard should warn if domain exists but there's no ssh key on local machine (domain was created in web ui)
> --------------------------------------------------------------------------------------------------------------------
>
>                 Key: JBIDE-12016
>                 URL: https://issues.jboss.org/browse/JBIDE-12016
>             Project: Tools (JBoss Tools)
>          Issue Type: Enhancement
>          Components: openshift
>    Affects Versions: 3.3.0.Beta3
>            Reporter: Burr Sutter
>            Assignee: Andre Dietisheim
>             Fix For: 4.0.0.Alpha2
>
>         Attachments: cloning-settings.png, Screen Shot 2012-05-25 at 10.57.18 AM.png
>
>
> If the end-user's .ssh directory is empty - we should provide a stronger warning for them - ideally provide a URL to some documentation/video explaining how the user can use Eclipse/JBoss Tools to create their private/public keys - so they can then upload the .pub to OpenShift.
> At least 10 users failed this test today and had to be "handheld" through the process.   
> What is worse, if the end-user uploads a slightly butchered pub key - the create application phase still works but the git clone fails - with a relatively poor error message - recovery normally means having to go up to the OpenShift console, deleting the poorly created apps - getting the pub key uploaded correctly (deleting the previous one) and starting again.
> The fact that Eclipse could create the keys was actually unknown by the instructor's of today's class.  SSH is still a nightmare for the newbie trying to use OpenShift + JBDS.
> How to reproduce:
> 1. ASSERT: make sure you have an OpenShift user without a domain (create a new user or kill your users domain)
> 2. EXEC: launch *OpenShift Application* wizard and create a new application
> Result:
> Cloning fails, since there are no ssh-keys on the local machine and no keys were added to OpenShift. The wizard did not tell the user since the domain already existed. The domain creation dialog is currently the only place that would allow a user to create a new ssh-key. If you already have a domain, you'll never get asked to create your keys.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbosstools-issues mailing list