Remove paramiko for FIPS
paramiko is not approved for FIPS, but we only use it here to generate ssh keys. We can do the same with OpenSSL and cryptography. Doing this allows a FIPS enrollment on the undercloud to continue. Change-Id: Iaee1b95f1537b937591e269f9bdb22a955a854be
This commit is contained in:
parent
f27786254a
commit
6d6a2fd612
|
@ -19,7 +19,7 @@ Jinja2>=2.10 # BSD License (3 clause)
|
|||
python-novaclient>=9.1.0 # Apache-2.0
|
||||
passlib>=1.7.0 # BSD
|
||||
netifaces>=0.10.4 # MIT
|
||||
paramiko>=2.7.1 # LGPLv2.1+
|
||||
cryptography>=3.4.7 # BSD/Apache-2.0
|
||||
netaddr>=0.7.18 # BSD
|
||||
python-zaqarclient>=1.0.0 # Apache-2.0
|
||||
python-keystoneclient>=3.8.0 # Apache-2.0
|
||||
|
|
1
tox.ini
1
tox.ini
|
@ -19,7 +19,6 @@ setenv =
|
|||
ANSIBLE_STDOUT_CALLBACK=debug
|
||||
PY_COLORS=1
|
||||
# pip: Avoid 2020-01-01 warnings: https://github.com/pypa/pip/issues/6207
|
||||
# paramiko CryptographyDeprecationWarning: https://github.com/ansible/ansible/issues/52598
|
||||
PYTHONWARNINGS=ignore:DEPRECATION::pip._internal.cli.base_command,ignore::UserWarning
|
||||
PIP_DISABLE_PIP_VERSION_CHECK=1
|
||||
passenv =
|
||||
|
|
|
@ -13,11 +13,13 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
import base64
|
||||
from cryptography.hazmat.primitives import serialization
|
||||
from cryptography.hazmat.primitives.asymmetric import rsa
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
import hashlib
|
||||
import hmac
|
||||
import logging
|
||||
import os
|
||||
import paramiko
|
||||
import struct
|
||||
import time
|
||||
import uuid
|
||||
|
@ -155,11 +157,17 @@ def create_ssh_keypair(comment=None, bits=2048):
|
|||
"""Generate an ssh keypair for use on the overcloud"""
|
||||
if comment is None:
|
||||
comment = "Generated by TripleO"
|
||||
key = paramiko.RSAKey.generate(bits)
|
||||
keyout = six.StringIO()
|
||||
key.write_private_key(keyout)
|
||||
private_key = keyout.getvalue()
|
||||
public_key = '{} {} {}'.format(key.get_name(), key.get_base64(), comment)
|
||||
key = rsa.generate_private_key(public_exponent=65537,
|
||||
key_size=bits,
|
||||
backend=default_backend())
|
||||
private_key = key.private_bytes(
|
||||
serialization.Encoding.PEM,
|
||||
serialization.PrivateFormat.PKCS8,
|
||||
serialization.NoEncryption()).decode('utf-8')
|
||||
public_key = key.public_key().public_bytes(
|
||||
serialization.Encoding.OpenSSH,
|
||||
serialization.PublicFormat.OpenSSH).decode('utf-8')
|
||||
public_key = '{} {}'.format(public_key, comment)
|
||||
return {
|
||||
'private_key': private_key,
|
||||
'public_key': public_key,
|
||||
|
|
Loading…
Reference in New Issue