Project

General

Profile

Bug #8618

Unsupported key types are silently ignored in ssh key management technique

Added by Florian Heigl over 2 years ago. Updated 8 months ago.

Status:
Released
Priority:
N/A
Category:
Techniques
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Very Small
Priority:
87

Description

Hi,

I've found that the technique doesn't support ed25519 keys.
It generates a 0 byte file and does not report an error

Could you please check why it does not report errors on such issues?
And later also support this keytype?

Associated revisions

Revision 53f3b399 (diff)
Added by Félix DALLIDET 8 months ago

Fixes #8618: Unsupported key types are silently ignored in ssh key management technique

History

#1 Updated by Alexis MOUSSET over 2 years ago

  • Target version set to 2.11.23

Reproduced, I see:

# authorized_keys file contains one line per key, in the following format:
# (optional-options\s)(<keytype>)\s(the_key=)(\soptional-comment)
# where
#   - keytype is one of ssh-rsa or ssh-dss
#   - key value ends with "=" 
#   - no spaces are allowed in options, except in double-quoted strings
#

in the technique. We are missing some key types (ecdsa, ed25519), and a correct "unknown type" reporting.

#2 Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 2.11.23 to 2.11.24

#3 Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 2.11.24 to 308

#4 Updated by Dmitry Svyatogorov over 2 years ago

Bug still exists in 3.2.5 "SSH keys distribution" v3.0 technique.
The validation routine filters keys against "ssh-rsa"|"ssh-dss", so each new key types are silently filtered out.

#5 Updated by Vincent MEMBRÉ about 2 years ago

  • Target version changed from 308 to 3.1.14

#6 Updated by Vincent MEMBRÉ about 2 years ago

  • Target version changed from 3.1.14 to 3.1.15

#7 Updated by Vincent MEMBRÉ about 2 years ago

  • Target version changed from 3.1.15 to 3.1.16

#8 Updated by Vincent MEMBRÉ about 2 years ago

  • Target version changed from 3.1.16 to 3.1.17

#9 Updated by Vincent MEMBRÉ about 2 years ago

  • Target version changed from 3.1.17 to 3.1.18

#10 Updated by Vincent MEMBRÉ almost 2 years ago

  • Target version changed from 3.1.18 to 3.1.19

#11 Updated by Benoît PECCATTE almost 2 years ago

  • Tracker changed from Bug to User story
  • Subject changed from ssh key management doesn't support ed25519 to support ed25519 in ssh key management

#12 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.19 to 3.1.20

#13 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.20 to 3.1.21

#14 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.21 to 3.1.22

#15 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.22 to 3.1.23

#16 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.23 to 3.1.24

#17 Updated by Vincent MEMBRÉ about 1 year ago

  • Target version changed from 3.1.24 to 3.1.25

#18 Updated by Benoît PECCATTE about 1 year ago

  • Target version changed from 3.1.25 to 4.1.9

#19 Updated by Vincent MEMBRÉ about 1 year ago

  • Target version changed from 4.1.9 to 4.1.10

#20 Updated by Benoît PECCATTE 10 months ago

  • Target version changed from 4.1.10 to Ideas (not version specific)

#21 Updated by Alexis MOUSSET 9 months ago

  • Tracker changed from User story to Bug
  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to Operational - other Techniques | Technique editor | Rudder settings
  • Effort required set to Very Small
  • Priority set to 87

Silently ignoring a configuration policy is a bug.

#22 Updated by Alexis MOUSSET 9 months ago

  • Subject changed from support ed25519 in ssh key management to Unsupported key types are silently ignored in ssh key management technique

#23 Updated by Alexis MOUSSET 9 months ago

  • Assignee set to Félix DALLIDET

#24 Updated by Félix DALLIDET 9 months ago

  • Target version changed from Ideas (not version specific) to 4.1.11

#25 Updated by Félix DALLIDET 9 months ago

  • Status changed from New to In progress

#26 Updated by Félix DALLIDET 9 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Félix DALLIDET to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1269

#27 Updated by Félix DALLIDET 8 months ago

  • Status changed from Pending technical review to Pending release

#28 Updated by Florian Heigl 8 months ago

it would appear that the bugfix now reads the former comment field as the key type.

[2018-04-12 22:07:20+0800] N: RAHHHHHH S: [audit_noncompliant] R: RAAAAHH [RULE NAME] D: RAAAHHHHHH [Directivename] T: sshKeyDistribution/3.0 C: [SSH key] V: [ssh key for super secret team access - restricted] Wrong SSH key format "ssh key for super secret team access - restricted" for user USERNAME

GOD BLESS AUDIT MODE, although I suppose this would no longer have fried everything to 0 bytes now, right?

#29 Updated by Alexis MOUSSET 8 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 4.1.11, 4.2.5 and 4.3.0~rc3 which were released today.

Also available in: Atom PDF