Bug #8618
closedUnsupported key types are silently ignored in ssh key management technique
Description
Hi,
I've found that the technique doesn't support ed25519 keys.
It generates a 0 byte file and does not report an error
Could you please check why it does not report errors on such issues?
And later also support this keytype?
Updated by Alexis Mousset over 8 years ago
- Target version set to 2.11.23
Reproduced, I see:
# authorized_keys file contains one line per key, in the following format: # (optional-options\s)(<keytype>)\s(the_key=)(\soptional-comment) # where # - keytype is one of ssh-rsa or ssh-dss # - key value ends with "=" # - no spaces are allowed in options, except in double-quoted strings #
in the technique. We are missing some key types (ecdsa, ed25519), and a correct "unknown type" reporting.
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 2.11.23 to 2.11.24
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 2.11.24 to 308
Updated by Dmitry Svyatogorov over 8 years ago
Bug still exists in 3.2.5 "SSH keys distribution" v3.0 technique.
The validation routine filters keys against "ssh-rsa"|"ssh-dss", so each new key types are silently filtered out.
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 308 to 3.1.14
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.1.14 to 3.1.15
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.1.15 to 3.1.16
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.1.16 to 3.1.17
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.1.17 to 3.1.18
Updated by Vincent MEMBRÉ almost 8 years ago
- Target version changed from 3.1.18 to 3.1.19
Updated by Benoît PECCATTE almost 8 years ago
- Tracker changed from Bug to User story
- Subject changed from ssh key management doesn't support ed25519 to support ed25519 in ssh key management
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.19 to 3.1.20
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.20 to 3.1.21
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.21 to 3.1.22
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.22 to 3.1.23
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.23 to 3.1.24
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 3.1.24 to 3.1.25
Updated by Benoît PECCATTE about 7 years ago
- Target version changed from 3.1.25 to 4.1.9
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 4.1.9 to 4.1.10
Updated by Benoît PECCATTE almost 7 years ago
- Target version changed from 4.1.10 to Ideas (not version specific)
Updated by Alexis Mousset over 6 years ago
- Tracker changed from User story to Bug
- Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
- User visibility set to Operational - other Techniques | Technique editor | Rudder settings
- Effort required set to Very Small
- Priority set to 87
Silently ignoring a configuration policy is a bug.
Updated by Alexis Mousset over 6 years ago
- Subject changed from support ed25519 in ssh key management to Unsupported key types are silently ignored in ssh key management technique
Updated by Félix DALLIDET over 6 years ago
- Target version changed from Ideas (not version specific) to 4.1.11
Updated by Félix DALLIDET over 6 years ago
- Status changed from New to In progress
Updated by Félix DALLIDET over 6 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Félix DALLIDET to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1269
Updated by Félix DALLIDET over 6 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-techniques|53f3b3998577e91d4461f6487d3f0fa9df8c488e.
Updated by Florian Heigl over 6 years ago
it would appear that the bugfix now reads the former comment field as the key type.
[2018-04-12 22:07:20+0800] N: RAHHHHHH S: [audit_noncompliant] R: RAAAAHH [RULE NAME] D: RAAAHHHHHH [Directivename] T: sshKeyDistribution/3.0 C: [SSH key] V: [ssh key for super secret team access - restricted] Wrong SSH key format "ssh key for super secret team access - restricted" for user USERNAME
GOD BLESS AUDIT MODE, although I suppose this would no longer have fried everything to 0 bytes now, right?
Updated by Alexis Mousset over 6 years ago
- Status changed from Pending release to Released