Page MenuHomePhabricator
Differential D10401 Diff 26084 src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php

Changeset View

Standalone View

View Options

src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php

Show First 20 LinesShow All 93 Lines▼ Show 20 Linesfinal class PhabricatorAuthSSHPublicKey extends Phobject {
public function getHash() { public function getHash() {
$body = $this->getBody(); $body = $this->getBody();
$body = trim($body); $body = trim($body);
$body = rtrim($body, '='); $body = rtrim($body, '=');
return PhabricatorHash::digestForIndex($body); return PhabricatorHash::digestForIndex($body);
} }
public function getEntireKey() {
$key = $this->type.' '.$this->body;
if (strlen($this->comment)) {
$key = $key.' '.$this->comment;
}
return $key;
}
public function toPCKS8() {
// TODO: Put a cache in front of this.
$tmp = new TempFile();
Filesystem::writeFile($tmp, $this->getEntireKey());
list($pem_key) = execx(
'ssh-keygen -e -m pcks8 -f %s',
$tmp);
epriestleyAuthorUnsubmitted
Not Done
Inline Actions

The big messy issue here is that this doesn't work on OSX because ssh-keygen fails. We only need to do this on the host, so it's not a huge issue (you can still sign requests on an OSX client, and it's unlikely that anyone will want to deploy OSX host clusters too soon, so maybe this will get fixed by then). It does make testing on an OSX host a big pain, though.

My plan to partly reduce that is:

  • Put a cache in front of this.
  • Add a bin/almanac prime-ssh-key-cache <ssh-key> <pcks8-key>.
  • If you're on OSX, you run ssh-keygen -e -m pcks8 -f ... on your public key on some other server and then use the result to prime the cache and you're good for ~60 days or whatever, until the cache dies.
  • We can point at this in some kind of error message here.
  • This command also doesn't work on older versions of SSH, so it's not like 100% crazy-insane, even though it's highly ridiculous.
epriestley: The big messy issue here is that this doesn't work on OSX because `ssh-keygen` fails. We only…
btrahanUnsubmitted
Not Done
Inline Actions

I know 3ish Mac OSX developers... :D I think it would be neat if we had some command like

bin/almanac gen-and-prime-ssh-key <public-key>

this command should fatal horribly on mac osx, letting you know it won't work, and then otherwise it should kind of collapse steps 2 and 3 from above.

btrahan: I know 3ish Mac OSX developers... :D I think it would be neat if we had some command like…
btrahanUnsubmitted
Not Done
Inline Actions

well, I meant fail horribly if the server is mac osx; clients can be whatever.

btrahan: well, I meant fail horribly if the server is mac osx; clients can be whatever.
unset($tmp);
return $pem_key;
}
} }
Phabricator · Built by Phacility