Project

General

Profile

Actions

Bug #8618

closed

Unsupported key types are silently ignored in ssh key management technique

Added by Florian Heigl almost 5 years ago. Updated about 3 years ago.

Status:
Released
Priority:
N/A
Category:
Techniques
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Very Small
Priority:
87

Description

Hi,

I've found that the technique doesn't support ed25519 keys.
It generates a 0 byte file and does not report an error

Could you please check why it does not report errors on such issues?
And later also support this keytype?

Actions #1

Updated by Alexis MOUSSET almost 5 years ago

  • Target version set to 2.11.23

Reproduced, I see:

# authorized_keys file contains one line per key, in the following format:
# (optional-options\s)(<keytype>)\s(the_key=)(\soptional-comment)
# where
#   - keytype is one of ssh-rsa or ssh-dss
#   - key value ends with "=" 
#   - no spaces are allowed in options, except in double-quoted strings
#

in the technique. We are missing some key types (ecdsa, ed25519), and a correct "unknown type" reporting.

Actions #2

Updated by Vincent MEMBRÉ almost 5 years ago

  • Target version changed from 2.11.23 to 2.11.24
Actions #3

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 2.11.24 to 308
Actions #4

Updated by Dmitry Svyatogorov over 4 years ago

Bug still exists in 3.2.5 "SSH keys distribution" v3.0 technique.
The validation routine filters keys against "ssh-rsa"|"ssh-dss", so each new key types are silently filtered out.

Actions #5

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 308 to 3.1.14
Actions #6

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 3.1.14 to 3.1.15
Actions #7

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 3.1.15 to 3.1.16
Actions #8

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 3.1.16 to 3.1.17
Actions #9

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 3.1.17 to 3.1.18
Actions #10

Updated by Vincent MEMBRÉ about 4 years ago

  • Target version changed from 3.1.18 to 3.1.19
Actions #11

Updated by Benoît PECCATTE about 4 years ago

  • Tracker changed from Bug to User story
  • Subject changed from ssh key management doesn't support ed25519 to support ed25519 in ssh key management
Actions #12

Updated by Vincent MEMBRÉ about 4 years ago

  • Target version changed from 3.1.19 to 3.1.20
Actions #13

Updated by Vincent MEMBRÉ almost 4 years ago

  • Target version changed from 3.1.20 to 3.1.21
Actions #14

Updated by Vincent MEMBRÉ almost 4 years ago

  • Target version changed from 3.1.21 to 3.1.22
Actions #15

Updated by Vincent MEMBRÉ almost 4 years ago

  • Target version changed from 3.1.22 to 3.1.23
Actions #16

Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 3.1.23 to 3.1.24
Actions #17

Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 3.1.24 to 3.1.25
Actions #18

Updated by Benoît PECCATTE over 3 years ago

  • Target version changed from 3.1.25 to 4.1.9
Actions #19

Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 4.1.9 to 4.1.10
Actions #20

Updated by Benoît PECCATTE over 3 years ago

  • Target version changed from 4.1.10 to Ideas (not version specific)
Actions #21

Updated by Alexis MOUSSET about 3 years ago

  • Tracker changed from User story to Bug
  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to Operational - other Techniques | Technique editor | Rudder settings
  • Effort required set to Very Small
  • Priority set to 87

Silently ignoring a configuration policy is a bug.

Actions #22

Updated by Alexis MOUSSET about 3 years ago

  • Subject changed from support ed25519 in ssh key management to Unsupported key types are silently ignored in ssh key management technique
Actions #23

Updated by Alexis MOUSSET about 3 years ago

  • Assignee set to Félix DALLIDET
Actions #24

Updated by Félix DALLIDET about 3 years ago

  • Target version changed from Ideas (not version specific) to 4.1.11
Actions #25

Updated by Félix DALLIDET about 3 years ago

  • Status changed from New to In progress
Actions #26

Updated by Félix DALLIDET about 3 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Félix DALLIDET to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1269
Actions #27

Updated by Félix DALLIDET about 3 years ago

  • Status changed from Pending technical review to Pending release
Actions #28

Updated by Florian Heigl about 3 years ago

it would appear that the bugfix now reads the former comment field as the key type.

[2018-04-12 22:07:20+0800] N: RAHHHHHH S: [audit_noncompliant] R: RAAAAHH [RULE NAME] D: RAAAHHHHHH [Directivename] T: sshKeyDistribution/3.0 C: [SSH key] V: [ssh key for super secret team access - restricted] Wrong SSH key format "ssh key for super secret team access - restricted" for user USERNAME

GOD BLESS AUDIT MODE, although I suppose this would no longer have fried everything to 0 bytes now, right?

Actions #29

Updated by Alexis MOUSSET about 3 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 4.1.11, 4.2.5 and 4.3.0~rc3 which were released today.

Actions

Also available in: Atom PDF