search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.35k stars 415 forks source link

[Bug]: step ssh inspect crashes when asked about a symlink to a *.pub file #1872

Open rwv37 opened 3 weeks ago

rwv37 commented 3 weeks ago

Steps to Reproduce

Make a *.pub SSH file. Make a symlink to it. Use step ssh inspect, specifying the symlink.

Your Environment

Expected Behavior

I expected it to show information about the *.pub file.

Actual Behavior

It crashes. Stack trace:

illegal base64 data at input byte 0
error parsing ssh certificate
github.com/smallstep/cli/command/ssh.inspectAction
        github.com/smallstep/cli/command/ssh/inspect.go:92
github.com/smallstep/cli/command/ssh.init.0.inspectCommand.ActionFunc.func3
        go.step.sm/cli-utils@v0.9.0/command/command.go:37
github.com/urfave/cli.HandleAction
        github.com/urfave/cli@v1.22.14/app.go:522
github.com/urfave/cli.Command.Run
        github.com/urfave/cli@v1.22.14/command.go:175
github.com/urfave/cli.(*App).RunAsSubcommand
        github.com/urfave/cli@v1.22.14/app.go:405
github.com/urfave/cli.Command.startApp
        github.com/urfave/cli@v1.22.14/command.go:380
github.com/urfave/cli.Command.Run
        github.com/urfave/cli@v1.22.14/command.go:103
github.com/urfave/cli.(*App).Run
        github.com/urfave/cli@v1.22.14/app.go:277
main.main
        github.com/smallstep/cli/cmd/step/main.go:124
runtime.main
        runtime/proc.go:267
runtime.goexit
        runtime/asm_amd64.s:1650

Additional Context

It works fine if I specify the actual *.pub file rather than the symlink to it.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

marten-seemann commented 2 weeks ago

I was unable to reproduce this failure. Here's what I did:

ssh-keygen -f mykey # creates mykey and mykey.pub
ssh-keygen -s mykey -I 1234 mykey.pub # creates mykey-cert.pub
ln -s mykey-cert.pub mykey-cert-symlink.pub

Both step ssh inspect mykey-cert.pub and step ssh inspect mykey-cert-symlink.pub work, and generate the same output. I tried this on both macOS and on Ubuntu.

@rwv37 Can you check if it works for you with these commands? This could be a FreeBSD-specific problem, but I'd have to set up a virtual machine to debug this further, so I'd like to check this first. If it does work, can you share how you create *.pub SSH file that leads to the crash?

hslatman commented 2 weeks ago

@marten-seemann also try this, which is doing a slightly different thing (operating on the key, instead of the cert)

$ ln -s mykey.pub mykey-symlink.pub
$ step ssh inspect mykey.pub
error decoding ssh certificate: *ssh.rsaPublicKey is not an *ssh.Certificate
exit status 1

That is expected behavior, currently. It would be nice to print SSH public key info, but that's a different issue.

@rwv37 can you verify that the contents of the .pub are the same if you read them directly and when through the symlink?