You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@libcloud.apache.org by Tomaz Muraus <to...@apache.org> on 2013/10/28 23:55:34 UTC
[dev] Validating format and size of a public key in the SSHKeyDeployment class
Currently we don't do any kind of ssh key validation inside
the SSHKeyDeployment class.
I think it would be useful to do the following:
1. Validate the SSH key format and make sure it's valid.
2. Validate size of the RSA keys and error out on potentially weak (<= 1024
bits) keys. This would be done to increase security consciousness and
discourage people from using weak keys.
Here is a very quick and simple prototype -
https://github.com/apache/libcloud/pull/170
Do you think something like this would be a useful addition to the core?
Re: [dev] Validating format and size of a public key in the
SSHKeyDeployment class
Posted by Tomaz Muraus <to...@apache.org>.
Yeah, I do agree that there is a fine line between what Libcloud should be
responsible for and what not.
As far as those two points go:
1. I think public key validation is not much different than any other
argument validation we do.
2. Yes, this one is debatable :)
We personally can't (and shouldn't) try to protect our users from every
potentially dangerous thing they can do, but I think that warning users
about installing potentially weak key is something we can do with a very
little effort so we probably should do it.
On Tue, Oct 29, 2013 at 3:19 AM, Jerry Chen <je...@apache.org> wrote:
>
> On Oct 28, 2013, at 5:55 PM, Tomaz Muraus <to...@apache.org> wrote:
>
> > Currently we don't do any kind of ssh key validation inside
> > the SSHKeyDeployment class.
> >
> > I think it would be useful to do the following:
> >
> > 1. Validate the SSH key format and make sure it's valid.
> > 2. Validate size of the RSA keys and error out on potentially weak (<=
> 1024
> > bits) keys. This would be done to increase security consciousness and
> > discourage people from using weak keys.
> >
> > Here is a very quick and simple prototype -
> > https://github.com/apache/libcloud/pull/170
> >
> > Do you think something like this would be a useful addition to the core?
>
> I think it'd certainly be a nice feature but Libcloud shouldn't be
> responsible for SSH validation or recommendations for weak keys, IMHO.
>
> Jerry
>
>
Re: [dev] Validating format and size of a public key in the SSHKeyDeployment class
Posted by Jerry Chen <je...@apache.org>.
On Oct 28, 2013, at 5:55 PM, Tomaz Muraus <to...@apache.org> wrote:
> Currently we don't do any kind of ssh key validation inside
> the SSHKeyDeployment class.
>
> I think it would be useful to do the following:
>
> 1. Validate the SSH key format and make sure it's valid.
> 2. Validate size of the RSA keys and error out on potentially weak (<= 1024
> bits) keys. This would be done to increase security consciousness and
> discourage people from using weak keys.
>
> Here is a very quick and simple prototype -
> https://github.com/apache/libcloud/pull/170
>
> Do you think something like this would be a useful addition to the core?
I think it'd certainly be a nice feature but Libcloud shouldn't be responsible for SSH validation or recommendations for weak keys, IMHO.
Jerry