cygport upload: patch for openssh 6.8p1

cygport upload: patch for openssh 6.8p1

[Andrew Schulman]

[-- Attachment #1: Type: text/plain, Size: 607 bytes --]

Since the latest update to openssh, ssh-keygen's output format for key
fingerprints has changed.  The default hash algorithm is now base64-encoded
SHA256 instead of MD5, and the hash name precedes its value, like

    SHA256:lvRrjAXmEhzDp5kQqzelsei8s5hXJ+zLaqJ2yiGXmYc

This breaks the current logic for detecting key fingerprints in cygport's
lib/pkg_upload.cygpart.  The attached patch fixes the problem.  (You might know
a more precise regex for the base64-encoded hash value than I do.  I couldn't
find any documentation of it anywhere, and just settled for

    SHA256:.{44}

)

Andrew

[-- Attachment #2: pkg_upload_key_fingerprint.patch --]
[-- Type: application/octet-stream, Size: 672 bytes --]

--- lib/pkg_upload.cygpart	2015-03-23 02:05:43.493625000 -0400
+++ lib/pkg_upload.cygpart	2015-05-24 12:15:31.969700900 -0400
@@ -74,7 +74,7 @@
 		if ssh-add -l >/dev/null 2>/dev/null
 		then
 			# ssh-agent is already running. Get key fingerprint:
-			key_fingerprint=$(ssh-keygen -l -f "$SSH_KEY" | egrep -o '[0-9a-f]{2}(:[0-9a-f]{2}){15}') \
+			key_fingerprint=$(ssh-keygen -l -f "$SSH_KEY" | egrep -o '(MD5:[0-9a-f]{2}(:[0-9a-f]{2}){15}|SHA256:.{44})') \
 			|| error "Can't read key fingerprint of ${SSH_KEY}. Not a private key file, or corresponding public key file is missing?"
 
 			# Load key into ssh-agent, if it's not already loaded (prompts for passphrase):

Re: cygport upload: patch for openssh 6.8p1

[Yaakov Selkowitz]

On Sun, 2015-05-24 at 12:32 -0400, Andrew Schulman wrote:
> Since the latest update to openssh, ssh-keygen's output format for key
> fingerprints has changed.  The default hash algorithm is now base64-encoded
> SHA256 instead of MD5, and the hash name precedes its value, like
> 
>     SHA256:lvRrjAXmEhzDp5kQqzelsei8s5hXJ+zLaqJ2yiGXmYc
> 
> This breaks the current logic for detecting key fingerprints in cygport's
> lib/pkg_upload.cygpart.  The attached patch fixes the problem.  (You might know
> a more precise regex for the base64-encoded hash value than I do.  I couldn't
> find any documentation of it anywhere, and just settled for
> 
>     SHA256:.{44}

There's another problem: this is new to 6.8; any out-of-date Cygwin
systems, or even current RHEL or Fedora 21 systems, won't have this, nor
do they support the -E flag which could be used to specify md5.

Any thoughts on a better regex or on keeping compatibility with other
systems?

--
Yaakov

Re: cygport upload: patch for openssh 6.8p1

[Andrew Schulman]

[-- Attachment #1: Type: text/plain, Size: 1391 bytes --]

> On Sun, 2015-05-24 at 12:32 -0400, Andrew Schulman wrote:
> > Since the latest update to openssh, ssh-keygen's output format for key
> > fingerprints has changed.  The default hash algorithm is now base64-encoded
> > SHA256 instead of MD5, and the hash name precedes its value, like
> > 
> >     SHA256:lvRrjAXmEhzDp5kQqzelsei8s5hXJ+zLaqJ2yiGXmYc
> > 
> > This breaks the current logic for detecting key fingerprints in cygport's
> > lib/pkg_upload.cygpart.  The attached patch fixes the problem.  (You might know
> > a more precise regex for the base64-encoded hash value than I do.  I couldn't
> > find any documentation of it anywhere, and just settled for
> > 
> >     SHA256:.{44}
> 
> There's another problem: this is new to 6.8; any out-of-date Cygwin
> systems, or even current RHEL or Fedora 21 systems, won't have this, nor
> do they support the -E flag which could be used to specify md5.
> 
> Any thoughts on a better regex or on keeping compatibility with other
> systems?

Right, OK.  See the attached revised patch, which uses

  [0-9a-f]{2}(:[0-9a-f]{2}){15}|SHA256:.{44}

to detect the key fingerprint.  The left side is the same as now, for pre-6.8
systems, which use MD5 without a label.  The right side is for version 6.8 and
later, where the default is SHA256 with the label 'SHA256:' prepended.  So this
should cover all cases.

Andrew

[-- Attachment #2: pkg_upload_key_fingerprint.patch --]
[-- Type: application/octet-stream, Size: 666 bytes --]

--- lib/pkg_upload.cygpart	2015-03-23 02:05:43.493625000 -0400
+++ lib/pkg_upload.cygpart	2015-05-24 12:15:31.969700900 -0400
@@ -74,7 +74,7 @@
 		if ssh-add -l >/dev/null 2>/dev/null
 		then
 			# ssh-agent is already running. Get key fingerprint:
-			key_fingerprint=$(ssh-keygen -l -f "$SSH_KEY" | egrep -o '[0-9a-f]{2}(:[0-9a-f]{2}){15}') \
+			key_fingerprint=$(ssh-keygen -l -f "$SSH_KEY" | egrep -o '[0-9a-f]{2}(:[0-9a-f]{2}){15}|SHA256:.{44}') \
 			|| error "Can't read key fingerprint of ${SSH_KEY}. Not a private key file, or corresponding public key file is missing?"
 
 			# Load key into ssh-agent, if it's not already loaded (prompts for passphrase):

Re: cygport upload: patch for openssh 6.8p1

[Andrew Schulman]

> > Any thoughts on a better regex or on keeping compatibility with other
> > systems?
> 
> Right, OK.  See the attached revised patch, which uses
> 
>   [0-9a-f]{2}(:[0-9a-f]{2}){15}|SHA256:.{44}
> 
> to detect the key fingerprint.  The left side is the same as now, for pre-6.8
> systems, which use MD5 without a label.  The right side is for version 6.8 and
> later, where the default is SHA256 with the label 'SHA256:' prepended.  So this
> should cover all cases.

A more precise regex is

    [0-9a-f]{2}(:[0-9a-f]{2}){15}|SHA256:[A-Za-z0-9+/=]{43}

I've committed this change to my upload branch at
https://github.com/andrex-e-schulman/cygport.git.  

Also in that branch, I've added documentation of the fact that users will need
to connect to cygwin.com at least one time by sftp before they upload, in order
to store the host public key in their known_hosts file, as explained in
https://cygwin.com/ml/cygwin-apps/2015-03/msg00193.html .

Andrew

Re: cygport upload: patch for openssh 6.8p1

[Yaakov Selkowitz]

On Mon, 2015-06-01 at 04:04 -0400, Andrew Schulman wrote:
> A more precise regex is
> 
>     [0-9a-f]{2}(:[0-9a-f]{2}){15}|SHA256:[A-Za-z0-9+/=]{43}
> 
> I've committed this change to my upload branch at
> https://github.com/andrex-e-schulman/cygport.git.  
> 
> Also in that branch, I've added documentation of the fact that users will need
> to connect to cygwin.com at least one time by sftp before they upload, in order
> to store the host public key in their known_hosts file, as explained in
> https://cygwin.com/ml/cygwin-apps/2015-03/msg00193.html .

Thanks, merged.

--
Yaakov