Page MenuHomePhabricator
Create Task
Maniphest T174112

Fatal error when SSH key data is invalid
Closed, ResolvedPublic
Actions

Description

2017-08-24T22:42:48Z [87ea4f74c68443428d5dce9b1e9f703d] striker.profile.utils ERROR: Failed to parse "Requested 257 bytes, but only 26 bytes available."
Traceback (most recent call last):
  File "./striker/profile/utils.py", line 47, in parse_ssh_key
    key.parse()
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/sshpubkeys/__init__.py", line 412, in parse
    key_data_length = self._process_key(self._decoded_key[current_position:])
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/sshpubkeys/__init__.py", line 360, in _process_key
    return self._process_ssh_rsa(data)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/sshpubkeys/__init__.py", line 275, in _process_ssh_rsa
    current_position, raw_n = self._unpack_by_int(data, current_position)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/sshpubkeys/__init__.py", line 159, in _unpack_by_int
    raise MalformedDataException("Requested %s bytes, but only %s bytes available." % (requested_data_length, remaining_data_length))
sshpubkeys.exceptions.MalformedDataException: Requested 257 bytes, but only 26 bytes available.
2017-08-24T22:42:48Z [87ea4f74c68443428d5dce9b1e9f703d] striker.profile.utils ERROR: Failed to parse "Requested 257 bytes, but only 163 bytes available."
Traceback (most recent call last):
  File "./striker/profile/utils.py", line 47, in parse_ssh_key
    key.parse()
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/sshpubkeys/__init__.py", line 412, in parse
    key_data_length = self._process_key(self._decoded_key[current_position:])
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/sshpubkeys/__init__.py", line 360, in _process_key
    return self._process_ssh_rsa(data)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/sshpubkeys/__init__.py", line 275, in _process_ssh_rsa
    current_position, raw_n = self._unpack_by_int(data, current_position)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/sshpubkeys/__init__.py", line 159, in _unpack_by_int
    raise MalformedDataException("Requested %s bytes, but only %s bytes available." % (requested_data_length, remaining_data_length))
sshpubkeys.exceptions.MalformedDataException: Requested 257 bytes, but only 163 bytes available.
2017-08-24T22:42:48Z [87ea4f74c68443428d5dce9b1e9f703d] striker.profile.utils ERROR: Failed to parse "Requested 257 bytes, but only 28 bytes available."
Traceback (most recent call last):
  File "./striker/profile/utils.py", line 47, in parse_ssh_key
    key.parse()
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/sshpubkeys/__init__.py", line 412, in parse
    key_data_length = self._process_key(self._decoded_key[current_position:])
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/sshpubkeys/__init__.py", line 360, in _process_key
    return self._process_ssh_rsa(data)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/sshpubkeys/__init__.py", line 275, in _process_ssh_rsa
    current_position, raw_n = self._unpack_by_int(data, current_position)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/sshpubkeys/__init__.py", line 159, in _unpack_by_int
    raise MalformedDataException("Requested %s bytes, but only %s bytes available." % (requested_data_length, remaining_data_length))
sshpubkeys.exceptions.MalformedDataException: Requested 257 bytes, but only 28 bytes available.
2017-08-24T22:42:48Z [87ea4f74c68443428d5dce9b1e9f703d] django.request ERROR: Internal Server Error: /profile/settings/ssh-keys
Traceback (most recent call last):
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/django/core/handlers/base.py", line 132, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/django/contrib/auth/decorators.py", line 22, in _wrapped_view
    return view_func(request, *args, **kwargs)
  File "./striker/profile/views.py", line 91, in ssh_keys
    initial={'key_hash': key.hash_sha256()})
AttributeError: 'NoneType' object has no attribute 'hash_sha256'

See the sshPublicKey data for uid=zppix1 in the LDAP directory for the offending key matter.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Handle invalid ssh keys in LDAPlabs/strikermaster+50 -9
Customize query in gerrit

Event Timeline

Zppix created this task.Aug 24 2017, 10:43 PM
Restricted Application added a project: User-Zppix. · View Herald TranscriptAug 24 2017, 10:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
bd808 renamed this task from Striker: 500 error when going to settings -> ssh keys to Fatal error when SSH key data is invalid.Aug 24 2017, 11:15 PM
bd808 updated the task description. (Show Details)
Zppix added a comment.Aug 24 2017, 11:18 PM

How are my ssh keys imvalid? I use them all the time.

bd808 subscribed.Aug 24 2017, 11:55 PM

There are 11 sshPublicKey attributes attached to the uid=zppix1,ou=people,dc=wikimedia,dc=org LDAP object. As shown in the stack traces above, 3 of these keys are encoded in such a way that the sshpubkeys validation library Striker uses can't parse them.

If I dump the data to a text file and validate it with ssh-keygen -l, 8 of the 11 are seen as valid keys:

$ ssh-keygen -lf zppix1-keys.txt
2048 SHA256:VTxY1tC92UDJC7t2fMBO2TGDvX0vPiQlLXaZUee6KnI support@zppixballee.com (RSA)
2048 SHA256:C32TfTNz8NqVvgC6zyFkMKfJEKpb/iN4kgvdgfYqeNI mobile@Devin-Edmisons-iPhone (RSA)
3072 SHA256:hwXYPmcvHWwPmd603PCvqTUIYv4SG93WpX6APasnsaU Bitvise (RSA)
2048 SHA256:clX5wusQxza0WjP4yfQTB2JxA/DsCAlXJtpC5kL22LA Generated By Serverauditor (RSA)
2048 SHA256:upMoPJWI1ncuK2AhwkCKdOp4jlfcTGt9Ina9+qGAxI4 Working Copy - Devin Edmison’s iPhone - 2016-12-13 22:23:19 +0000 (RSA)
4096 SHA256:0lUovElFXmiv04gp/mZBwKWkrMyaN+GuxN2vQAp11Gk Generated By Termius (RSA)
2048 SHA256:D/DyZY5pPjfgCkNcK7tvnzgMXAOpv1j7wbbLreGVW1Q DEdmisonTab@DEdmison-TabPC (RSA)
2048 SHA256:EmebuIasxgYlDQqnvE4BgmVDbUfqiLgy2k5GOHSclMs dedmison@DevinHPLaptop (RSA)

The 3 that ssh-keygen -l rejects nicely matches with the count of records that are rejected by the python validation. Two of the three contain embedded whitespace and the third seems to be truncated.

The crash is caused by the display code assuming that validation of keys will always succeed and thus attempting to dereference a None value when looking through the list. More correct behavior would be to display a warning about invalid key data and discard the key so that a user can clean their stored keys by visiting the page and saving.

gerritbot subscribed.Aug 25 2017, 1:21 AM

Change 373720 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[labs/striker@master] Handle invalid ssh keys in LDAP

https://gerrit.wikimedia.org/r/373720

gerritbot added a project: Patch-For-Review.Aug 25 2017, 1:21 AM
bd808 claimed this task.Aug 25 2017, 1:22 AM
bd808 added a project: cloud-services-team (Kanban).
Restricted Application added a project: User-bd808. · View Herald TranscriptAug 25 2017, 1:22 AM
bd808 moved this task from Backlog to Doing on the Striker board.Aug 25 2017, 1:22 AM
gerritbot added a comment.Aug 25 2017, 1:26 AM

Change 373720 merged by jenkins-bot:
[labs/striker@master] Handle invalid ssh keys in LDAP

https://gerrit.wikimedia.org/r/373720

bd808 moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.Aug 25 2017, 7:23 PM
bd808 closed this task as Resolved.Aug 28 2017, 8:31 PM

The UI in Striker will now mark keys that it can't read as "invalid" and allow the user to delete them if desired.

Zppix added a comment.Aug 28 2017, 8:32 PM

@bd808 sweet thanks for fixing this so quickly!!

bd808 moved this task from Doing to Done on the cloud-services-team (Kanban) board.Aug 28 2017, 8:42 PM
Zppix moved this task from Backlog to Other on the User-Zppix board.Aug 29 2017, 10:36 PM
bd808 moved this task from Doing to Done on the Striker board.Sep 5 2017, 11:54 PM
bd808 moved this task from To Do to Done on the User-bd808 board.Jul 15 2020, 9:17 PM
Restricted Application added a subscriber: RhinosF1. · View Herald TranscriptJul 15 2020, 9:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits