You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
up to now I was using summon with single-line secrets and everything was working fine.
But when I tried using multi-line secrets, I found that summon removes the last newline from a secret, sometimes making the secrets unrecognized by the program itself who created the secret! This is the case for example for SSH private keys.
How to reproduce
Generate a SSH key pair (we want to use it to sign SSH certificates):
The only difference is that now the host_ca_key contains also the newline.
Attempt to sign again, using the host_ca_key:
$ ssh-keygen -h -s host_ca_key -V "+30d" -I host-cert host-key.pub
Signed host key host-key-cert.pub: id "host-cert" serial 0 valid from 2020-11-28T18:24:00 to 2020-12-28T18:25:46
Note that all usages of a SSH private key are broken, not only signing a certificate as shown here but also using the key for a sshd server.
Hey @marco-m - thank you for your exceptionally well-documented issue!
I can't speak for this code as it was here since the beginnings as you found as well but I am guessing that maybe the output of cmd.Run() includes a newline by default? Either way, while I won't be able to work on this issue as I'm in a different project, I do feel like this may be something to look into for the @cyberark/community-and-integrations-team.
PS: I wonder if the trim can be changed just to trim a single line break instead maybe which would keep 99% of backwards compatibility and allow you to have the extra newline?
If you have some ideas on this too, feel free to put them in here and we are always happy to review PRs!
Hello,
up to now I was using summon with single-line secrets and everything was working fine.
But when I tried using multi-line secrets, I found that summon removes the last newline from a secret, sometimes making the secrets unrecognized by the program itself who created the secret! This is the case for example for SSH private keys.
How to reproduce
Generate a SSH key pair (we want to use it to sign SSH certificates):
Verify that the private key ends with a newline character:
Move the keys to pass (or gopass):
Verify that the output of pass (or gopass) contains the last newline:
Create a pass provider for summon:
Create a
secrets.yml
file:Verify that the private key exported by summon lacks the last newline:
We are almost here. Generate a host key pair to be signed by the previous key:
Try to use the private key via summon to sign the host key:
Extract the same key using the pass provider and save it as a file:
The only difference is that now the
host_ca_key
contains also the newline.Attempt to sign again, using the
host_ca_key
:Note that all usages of a SSH private key are broken, not only signing a certificate as shown here but also using the key for a sshd server.
Where is the problematic code
summon/provider/provider.go
Lines 54 to 72 in 6145b9f
I went through the git history and there has always been a
strings.TrimSpace()
.Further considerations
I think this is a tough one, because removing the trimming might break backwards compatibility.
Is there any workaround?
The text was updated successfully, but these errors were encountered: