only compare the relevant bits of the ssh key fingerprint

[thommay]

When comparing fingerprints, the last section is host specific - but
it's irrelevant. So we chop that bit off, and ensure that the actual
algorithm and public key still match.

[jkeiser]

Is this the case for PKCS8 keys as well?

[thommay]

yeah, both fingerprint and pkcs8sha1fingerprint are fine because they have no spaces:

irb(main):005:0> f.class
=> OpenSSL::PKey::RSA
irb(main):008:0> k = Cheffish::KeyFormatter.encode(f, format: :pkcs8sha1fingerprint)
=> "c5:49:5b:f3:aa:2c:b6:99:93:b5:3f:c5:83:ec:e6:1b:6b:59:5f:84"
irb(main):009:0> z = Cheffish::KeyFormatter.encode(f, format: :pkcs8sha1fingerprint).split[0,2].join(' ')
=> "c5:49:5b:f3:aa:2c:b6:99:93:b5:3f:c5:83:ec:e6:1b:6b:59:5f:84"
irb(main):010:0> k == z
=> true

[jkeiser]

Cool. I'm curious what problems this causes from a practical point of view?

[thommay]

Let's say I do my initial spin up on my workstation, but then decide I want an orchestrator node.
So I copy my generated ssh key on to the orchestrator, then run chef. Chef explodes because the comparison fails, because the hostname has changed. So I swear, set allow_overwrite and re-run chef. Then I swear louder because Rackspace treats ssh keys as immutable and so my only option is to delete the key from Rackspace and let chef re-upload it, which seems like a bit of a waste of time :)

[jkeiser]

Ouch! Point taken :) One sort of wonders why hosts are part of key fingerprints at all.

[jkeiser]

0.5.3 released with this in it.

[thommay]

thanks man 👍