From 2a8d46864b16ca7d061666640154e7a6d3067016 Mon Sep 17 00:00:00 2001
From: Justin Santa Barbara <justin@fathomdb.com>
Date: Wed, 1 Jul 2015 04:10:48 -0700
Subject: [PATCH] AWS: Use the SSH key fingerprint, not the AWS fingerprint

This is unfortunate, because it means we have two fingerprints,
although arguably the OpenSSH key fingerprint is much more common.
However, the OSX Mavericks version of ssh-keygen can't compute
the AWS fingerprint correctly (e.g. https://www.netmeister.org/blog/ssh2pkcs8.html)

So we work on OSX Mavericks, we use the more common OpenSSH fingerprint.
---
 cluster/aws/util.sh | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/cluster/aws/util.sh b/cluster/aws/util.sh
index aa705c403a..a6572d2f5b 100644
--- a/cluster/aws/util.sh
+++ b/cluster/aws/util.sh
@@ -301,11 +301,20 @@ function detect-ubuntu-image () {
 # Note that this is a different hash from the OpenSSH hash.
 # But AWS gives us this public key hash in the describe keys output, so we should stick with this format.
 # Hopefully this will be done by the aws cli tool one day: https://github.com/aws/aws-cli/issues/191
+# NOTE: This does not work on Mavericks, due to an odd ssh-keygen version, so we use get-ssh-fingerprint instead
 function get-aws-fingerprint {
   local -r pubkey_path=$1
   ssh-keygen -f ${pubkey_path} -e -m PKCS8  | openssl rsa -pubin -outform DER | openssl md5 -c | sed -e 's/(stdin)= //g'
 }
 
+# Computes the SSH fingerprint for a public key file ($1)
+# #1: path to public key file
+# Note this is different from the AWS fingerprint; see notes on get-aws-fingerprint
+function get-ssh-fingerprint {
+  local -r pubkey_path=$1
+  ssh-keygen -lf ${pubkey_path} | cut -f2 -d' '
+}
+
 # Import an SSH public key to AWS.
 # Ignores duplicate names; recommended to use a name that includes the public key hash.
 # $1 name
@@ -660,7 +669,10 @@ function kube-up {
     ssh-keygen -f "$AWS_SSH_KEY" -N ''
   fi
 
-  AWS_SSH_KEY_FINGERPRINT=$(get-aws-fingerprint ${AWS_SSH_KEY}.pub)
+  # Note that we use get-ssh-fingerprint, so this works on OSX Mavericks
+  # get-aws-fingerprint gives the same fingerprint that AWS computes,
+  # but OSX Mavericks ssh-keygen can't compute it
+  AWS_SSH_KEY_FINGERPRINT=$(get-ssh-fingerprint ${AWS_SSH_KEY}.pub)
   echo "Using SSH key with (AWS) fingerprint: ${AWS_SSH_KEY_FINGERPRINT}"
   AWS_SSH_KEY_NAME="kubernetes-${AWS_SSH_KEY_FINGERPRINT//:/}"