From 20edbf850c579a609200eb164e98da9d5deb6d1c Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 2 Jul 2015 14:50:20 -0400 Subject: [PATCH] assistant: Fix local pairing to not include newline in ssh pubkey, which is rejected on the other end for security reasons. --- Assistant/WebApp/Configurators/Pairing.hs | 3 ++- debian/changelog | 2 ++ ..._4_c6d6fa60e71895b7c0c68cc75cd7c5cc._comment | 17 +++++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 doc/bugs/local_pair_fails_if_non-ascii_characters_present_on_annex_path/comment_4_c6d6fa60e71895b7c0c68cc75cd7c5cc._comment diff --git a/Assistant/WebApp/Configurators/Pairing.hs b/Assistant/WebApp/Configurators/Pairing.hs index beaf57fc11..039676ac15 100644 --- a/Assistant/WebApp/Configurators/Pairing.hs +++ b/Assistant/WebApp/Configurators/Pairing.hs @@ -223,11 +223,12 @@ startLocalPairing stage oncancel alert muuid displaysecret secret = do - background. -} thread <- liftAssistant $ asIO $ do keypair <- liftIO $ genSshKeyPair + let pubkey = either error id $ validateSshPubKey $ sshPubKey keypair pairdata <- liftIO $ PairData <$> getHostname <*> myUserName <*> pure reldir - <*> pure (sshPubKey keypair) + <*> pure pubkey <*> (maybe genUUID return muuid) let sender = multicastPairMsg Nothing secret pairdata let pip = PairingInProgress secret Nothing keypair pairdata stage diff --git a/debian/changelog b/debian/changelog index a91b8498bc..fc8b39716e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,8 @@ git-annex (5.20150618) UNRELEASED; urgency=medium * assistant --autostart: First any daemons that are already running, which might be left over from a previous login session and so unable to use the ssh agent of a new login session. + * assistant: Fix local pairing to not include newline in ssh pubkey, + which is rejected on the other end for security reasons. -- Joey Hess Thu, 02 Jul 2015 12:31:14 -0400 diff --git a/doc/bugs/local_pair_fails_if_non-ascii_characters_present_on_annex_path/comment_4_c6d6fa60e71895b7c0c68cc75cd7c5cc._comment b/doc/bugs/local_pair_fails_if_non-ascii_characters_present_on_annex_path/comment_4_c6d6fa60e71895b7c0c68cc75cd7c5cc._comment new file mode 100644 index 0000000000..7ecbe91d08 --- /dev/null +++ b/doc/bugs/local_pair_fails_if_non-ascii_characters_present_on_annex_path/comment_4_c6d6fa60e71895b7c0c68cc75cd7c5cc._comment @@ -0,0 +1,17 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 4""" + date="2015-07-02T18:32:16Z" + content=""" +In comment 2, we see a message containing a ssh key with a newline at the +end. That is the control character it's objecting to, and it has good +security reasons to not allow newlines in there (multiline ssh keys could +result in a ~/.ssh/authorized_keys that runs arbitrary commands). + +I was able to reproduce that myself. The problem was that the assistant +didn't remove newlines when sending the ssh key. Fixed it. + +This bug report is **closed**, for the second time. +If you see this message using any newer version of git-annex, +please file a new bug report. +"""]]