Unsupported key types are silently ignored in ssh key management technique
I've found that the technique doesn't support ed25519 keys.
It generates a 0 byte file and does not report an error
Could you please check why it does not report errors on such issues?
And later also support this keytype?
#1 Updated by Alexis MOUSSET over 2 years ago
- Target version set to 2.11.23
Reproduced, I see:
# authorized_keys file contains one line per key, in the following format: # (optional-options\s)(<keytype>)\s(the_key=)(\soptional-comment) # where # - keytype is one of ssh-rsa or ssh-dss # - key value ends with "=" # - no spaces are allowed in options, except in double-quoted strings #
in the technique. We are missing some key types (ecdsa, ed25519), and a correct "unknown type" reporting.
#21 Updated by Alexis MOUSSET 9 months ago
- Tracker changed from User story to Bug
- Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
- User visibility set to Operational - other Techniques | Technique editor | Rudder settings
- Effort required set to Very Small
- Priority set to 87
Silently ignoring a configuration policy is a bug.
#26 Updated by Félix DALLIDET 9 months ago
- Status changed from In progress to Pending technical review
- Assignee changed from Félix DALLIDET to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1269
#27 Updated by Félix DALLIDET 8 months ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-techniques|53f3b3998577e91d4461f6487d3f0fa9df8c488e.
#28 Updated by Florian Heigl 8 months ago
it would appear that the bugfix now reads the former comment field as the key type.
[2018-04-12 22:07:20+0800] N: RAHHHHHH S: [audit_noncompliant] R: RAAAAHH [RULE NAME] D: RAAAHHHHHH [Directivename] T: sshKeyDistribution/3.0 C: [SSH key] V: [ssh key for super secret team access - restricted] Wrong SSH key format "ssh key for super secret team access - restricted" for user USERNAME
GOD BLESS AUDIT MODE, although I suppose this would no longer have fried everything to 0 bytes now, right?
#29 Updated by Alexis MOUSSET 8 months ago
- Status changed from Pending release to Released