From 56aceddc1c03f5635aff6eef14bd23f597095fb4 Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Sun, 12 Jul 2020 20:03:47 +0200 Subject: [PATCH 01/23] Add "omBratteng" as contributor --- tools/.github-cla-signers | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/.github-cla-signers b/tools/.github-cla-signers index 78bce6c9821..fa3b953809d 100644 --- a/tools/.github-cla-signers +++ b/tools/.github-cla-signers @@ -8,6 +8,7 @@ landon912 lucasmoura matthewruffell nishigori +omBratteng onitake smoser TheRealFalcon From 0816a562a309d50fadb084c3f19abeb3f0ca5c4c Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Sun, 12 Jul 2020 20:18:35 +0200 Subject: [PATCH 02/23] Update the list of valid ssh keys. Update ssh_util.py with latest list of keys (from openssh-8.3p1/sshkey.c), Added keys: rsa-sha2-256-cert-v01@openssh.com rsa-sha2-512-cert-v01@openssh.com sk-ecdsa-sha2-nistp256-cert-v01@openssh.com sk-ecdsa-sha2-nistp256@openssh.com sk-ssh-ed25519-cert-v01@openssh.com sk-ssh-ed25519@openssh.com ssh-xmss-cert-v01@openssh.com ssh-xmss@openssh.com webauthn-sk-ecdsa-sha2-nistp256@openssh.com --- cloudinit/ssh_util.py | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py index 89150acfec1..b11759e3abc 100644 --- a/cloudinit/ssh_util.py +++ b/cloudinit/ssh_util.py @@ -17,27 +17,36 @@ # See: man sshd_config DEF_SSHD_CFG = "/etc/ssh/sshd_config" -# taken from OpenSSH source openssh-7.3p1/sshkey.c: +# taken from OpenSSH source openssh-8.3p1/sshkey.c: # static const struct keytype keytypes[] = { ... } VALID_KEY_TYPES = ( "dsa", - "ecdsa", - "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp256-cert-v01@openssh.com", - "ecdsa-sha2-nistp384", + "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384-cert-v01@openssh.com", - "ecdsa-sha2-nistp521", + "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521-cert-v01@openssh.com", + "ecdsa-sha2-nistp521", + "ecdsa", "ed25519", - "rsa", + "rsa-sha2-256-cert-v01@openssh.com", "rsa-sha2-256", + "rsa-sha2-512-cert-v01@openssh.com", "rsa-sha2-512", - "ssh-dss", + "rsa", + "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", + "sk-ecdsa-sha2-nistp256@openssh.com", + "sk-ssh-ed25519-cert-v01@openssh.com", + "sk-ssh-ed25519@openssh.com", "ssh-dss-cert-v01@openssh.com", - "ssh-ed25519", + "ssh-dss", "ssh-ed25519-cert-v01@openssh.com", - "ssh-rsa", + "ssh-ed25519", "ssh-rsa-cert-v01@openssh.com", + "ssh-rsa", + "ssh-xmss-cert-v01@openssh.com", + "ssh-xmss@openssh.com", + "webauthn-sk-ecdsa-sha2-nistp256@openssh.com", ) _DISABLE_USER_SSH_EXIT = 142 From a0c6e0b81dc1be617c578562736eb223db401279 Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Wed, 15 Jul 2020 23:34:16 +0200 Subject: [PATCH 03/23] test_sshutil: Add testing for the new ssh keys --- tests/unittests/test_sshutil.py | 35 +++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py index d15fc60be6c..56c6913ff5b 100644 --- a/tests/unittests/test_sshutil.py +++ b/tests/unittests/test_sshutil.py @@ -57,6 +57,29 @@ "LcsEuCJnobs/c6whzvjCgouaOO61kgXNtIxyF4Wkutg6xaGYgBBt/phb7a2TurI" "bcIBuzJ/mP22UyUAbNnBfStAEBmYbrTf1EfiMCYUAr1XnL0UdYmZ8HFg==" ), + + 'sk-ecdsa-sha2-nistp256@openssh.com': ( + "AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHA" + "yNTYAAABBBIELQJ2DgvaX1yQlKFokfWM2suuaCFI2qp0eJodHyg6O4ifxc3XpRK" + "d1OS8dNYQtE/YjdXSrA+AOnMF5ns2Nkx4AAAAEc3NoOg==" + ), + + 'sk-ssh-ed25519@openssh.com': ( + "AAAAC3NzaC1lZDI1NTE5AAAAID6ruQ7P92Dy4nsISZB1n5hQBLQXlMDbUcwdiGz" + "orjYF" + ), + + 'ssh-xmss@openssh.com': ( + "AAAAFHNzaC14bXNzQG9wZW5zc2guY29tAAAAFVhNU1NfU0hBMi0yNTZfVzE2X0g" + "xMAAAAEDHIipAYa8ASBWebNNU4Jgr7fth9hiZFuowxb9oA/NBRLWFmV0r3unamq" + "qauYyOtdc05Iu9BPpeVg4zlu6P4P53" + ), + + 'webauthn-sk-ecdsa-sha2-nistp256@openssh.com': ( + "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEM7EmkW4s0" + "zGB4fkyvK4Ws9kn+79mJo5RH+3A/fCYKpZnPAIkIo//i6Bzx4ETkJRQUqDzZXSi" + "FX0VfrSm3oLQ0=" + ) } TEST_OPTIONS = ( @@ -70,13 +93,21 @@ class TestAuthKeyLineParser(test_helpers.CiTestCase): def test_simple_parse(self): # test key line with common 3 fields (keytype, base64, comment) parser = ssh_util.AuthKeyLineParser() - ecdsa_types = [ + + ktypes = [ + 'rsa', + 'ecdsa', + 'dsa', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', + 'sk-ecdsa-sha2-nistp256@openssh.com', + 'sk-ssh-ed25519@openssh.com', + 'ssh-xmss@openssh.com', + 'webauthn-sk-ecdsa-sha2-nistp256@openssh.com' ] - for ktype in ['rsa', 'ecdsa', 'dsa'] + ecdsa_types: + for ktype in ktypes: content = VALID_CONTENT[ktype] comment = 'user-%s@host' % ktype line = ' '.join((ktype, content, comment,)) From 8b95cc8c1ac75aff91a4d6bb70f8c9527a72e9d9 Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Wed, 15 Jul 2020 23:32:50 +0200 Subject: [PATCH 04/23] test_sshutil: Remove the key types that actually are signatures Thanks to @djmdjm for pointing me in the right direction. --- cloudinit/ssh_util.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py index b11759e3abc..ddf181ccbfa 100644 --- a/cloudinit/ssh_util.py +++ b/cloudinit/ssh_util.py @@ -29,10 +29,6 @@ "ecdsa-sha2-nistp521", "ecdsa", "ed25519", - "rsa-sha2-256-cert-v01@openssh.com", - "rsa-sha2-256", - "rsa-sha2-512-cert-v01@openssh.com", - "rsa-sha2-512", "rsa", "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", "sk-ecdsa-sha2-nistp256@openssh.com", @@ -46,7 +42,6 @@ "ssh-rsa", "ssh-xmss-cert-v01@openssh.com", "ssh-xmss@openssh.com", - "webauthn-sk-ecdsa-sha2-nistp256@openssh.com", ) _DISABLE_USER_SSH_EXIT = 142 From b5c388129956275c96b610a0231f98b802d52ec2 Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Wed, 15 Jul 2020 23:32:36 +0200 Subject: [PATCH 05/23] test_sshutil: Add a public key for each valid key type --- tests/unittests/test_sshutil.py | 243 ++++++++++++++++++++++++++++---- 1 file changed, 219 insertions(+), 24 deletions(-) diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py index 56c6913ff5b..77c9275a730 100644 --- a/tests/unittests/test_sshutil.py +++ b/tests/unittests/test_sshutil.py @@ -41,45 +41,240 @@ "YWpMfYdPUnE7u536WqzFmsaqJctz3gBxH9Ex7dFtrxR4qiqEr9Qtlu3xGn7Bw07" "/+i1D+ey3ONkZLN+LQ714cgj8fRS4Hj29SCmXp5Kt5/82cD/VN3NtHw==" ), + 'ed25519': ( + "AAAAC3NzaC1lZDI1NTE5AAAAIA1J77+CrJ8p6/vWCEzuylqJNMHUP/XmeYyGVWb" + "8lnDd" + ), + 'ecdsa-sha2-nistp256-cert-v01@openssh.com': ( + "AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAA" + "gQIfwT/+UX68/hlKsdKuaOuAVB6ftTg03SlP/uH4OBEwAAAAIbmlzdHAyNTYAAA" + "BBBEjA0gjJmPM6La3sXyfNlnjilvvGY6I2M8SvJj4o3X/46wcUbPWTaj4RF3EXw" + "HvNxplYBwdPlk2zEecvf9Cs2BMAAAAAAAAAAAAAAAEAAAAYa2V5cy9lY2RzYS1z" + "aGEyLW5pc3RwMjU2AAAAAAAAAAAAAAAA//////////8AAAAAAAAAggAAABVwZXJ" + "taXQtWDExLWZvcndhcmRpbmcAAAAAAAAAF3Blcm1pdC1hZ2VudC1mb3J3YXJkaW" + "5nAAAAAAAAABZwZXJtaXQtcG9ydC1mb3J3YXJkaW5nAAAAAAAAAApwZXJtaXQtc" + "HR5AAAAAAAAAA5wZXJtaXQtdXNlci1yYwAAAAAAAAAAAAAAaAAAABNlY2RzYS1z" + "aGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRH6Y9Q1+ocQ8ETKW3LjQqtxg7" + "OuSSDacxmmQatQVaIawwjCbmntyEAqmVj3v9ElDSXnO5m7TyYMBQu4+vsh76RAA" + "AAZQAAABNlY2RzYS1zaGEyLW5pc3RwMjU2AAAASgAAACEA47Cl2MMhr+glPGuxx" + "2tM3QXkDcwdP0SxSEW5yy4XV5oAAAAhANNMm1cdVlAt3hmycQgdD82zPlg5YvVO" + "iN0SQTbgVD8i" + ), 'ecdsa-sha2-nistp256': ( - "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMy/WuXq5MF" - "r5hVQ9EEKKUTF7vUaOkgxUh6bNsCs9SFMVslIm1zM/WJYwUv52LdEePjtDYiV4A" - "l2XthJ9/bs7Pc=" + "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEjA0gjJmPM" + "6La3sXyfNlnjilvvGY6I2M8SvJj4o3X/46wcUbPWTaj4RF3EXwHvNxplYBwdPlk" + "2zEecvf9Cs2BM=" ), - 'ecdsa-sha2-nistp521': ( - "AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBABOdNTkh9F" - "McK4hZRLs5LTXBEXwNr0+Yg9uvJYRFcz2ZlnjYX9tM4Z3QQFjqogU4pU+zpKLqZ" - "5VE4Jcnb1T608UywBIdXkSFZT8trGJqBv9nFWGgmTX3KP8kiBbihpuv1cGwglPl" - "Hxs50A42iP0JiT7auGtEAGsu/uMql323GTGb4171Q==" + + 'ecdsa-sha2-nistp384-cert-v01@openssh.com': ( + "AAAAKGVjZHNhLXNoYTItbmlzdHAzODQtY2VydC12MDFAb3BlbnNzaC5jb20AAAA" + "grnSvDsK1EnCZndO1IyGWcGkVgVSkPWi/XO2ybPFyLVUAAAAIbmlzdHAzODQAAA" + "BhBAaYSQs+8TT0Tzciy0dorwhur6yzOGUrYQ6ueUQYWbE7eNdHmhsVrlpGPgSaY" + "ByhXtAJiPOMqLU5h0eb3sCtM3ek4NvjXFTGTqPrrxJI6q0OsgrtkGE7UM9ZsfMm" + "7q6BOAAAAAAAAAAAAAAAAQAAABhrZXlzL2VjZHNhLXNoYTItbmlzdHAzODQAAAA" + "AAAAAAAAAAAD//////////wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZG" + "luZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pd" + "C1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1p" + "dC11c2VyLXJjAAAAAAAAAAAAAACIAAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAA" + "IbmlzdHAzODQAAABhBLWbubcMzcWc7lMTCMGVXZlaVvUOHLjpr6SOOScFFrd8K9" + "Gl8nYELST5HZ1gym65m+MG6/tbrUWIY/flLWNIe+WtqxrdPPGdIhFruCwNw2peZ" + "SbQOa/o3AGnJ/vO6EKEGAAAAIQAAAATZWNkc2Etc2hhMi1uaXN0cDM4NAAAAGkA" + "AAAxAL10JHd5bvnbpD+fet/k1YE1BEIrqGXaoIIJ9ReE5H4nTK1uQJzMD7+wwGK" + "RVYqYQgAAADAiit0UCMDAUbjD+R2x4LvU3x/t8G3sdqDLRNfMRpjZpvcS8AwC+Y" + "VFVSQNn0AyzW0=" ), 'ecdsa-sha2-nistp384': ( - "AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAnoqFU9Gnl" - "LcsEuCJnobs/c6whzvjCgouaOO61kgXNtIxyF4Wkutg6xaGYgBBt/phb7a2TurI" - "bcIBuzJ/mP22UyUAbNnBfStAEBmYbrTf1EfiMCYUAr1XnL0UdYmZ8HFg==" + "AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAaYSQs+8TT" + "0Tzciy0dorwhur6yzOGUrYQ6ueUQYWbE7eNdHmhsVrlpGPgSaYByhXtAJiPOMqL" + "U5h0eb3sCtM3ek4NvjXFTGTqPrrxJI6q0OsgrtkGE7UM9ZsfMm7q6BOA==" + ), + 'ecdsa-sha2-nistp521-cert-v01@openssh.com': ( + "AAAAKGVjZHNhLXNoYTItbmlzdHA1MjEtY2VydC12MDFAb3BlbnNzaC5jb20AAAA" + "gGmRzkkMvRFk1V5U3m3mQ2nfW20SJVXk1NKnT5iZGDcEAAAAIbmlzdHA1MjEAAA" + "CFBAHosAOHAI1ZkerbKYQ72S6uit1u77PCj/OalZtXgsxv0TTAZB273puG2X94C" + "Q8yyNHcby87zFZHdv5BSKyZ/cyREAAeiAcSakop9VS3+bUfZpEIqwBZXarwUjnR" + "nxprkcQ0rfCCdagkGZr/OA7DemK2D8tKLTHsKoEEWNImo6/pXDkFxAAAAAAAAAA" + "AAAAAAQAAABhrZXlzL2VjZHNhLXNoYTItbmlzdHA1MjEAAAAAAAAAAAAAAAD///" + "///////wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXc" + "GVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndh" + "cmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAA" + "AAAAAAAAAAACsAAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAA" + "CFBAC6hFVXM1XEg/7qKkp5sLZuANGQVW88b5pPn2ZcK0td9IQstLH6BwWuZ6MPE" + "ogiDlvx9HD1BaKGBBfkxgOY8NGFzQHbjU9eTWH3gt0RATDbZsij1pSkFPnAXdU9" + "SjfogYloI2xdHaTCgWp3zgsUV+BBQ0QGGv2MqqcOmrF0f5YEJeOffAAAAKcAAAA" + "TZWNkc2Etc2hhMi1uaXN0cDUyMQAAAIwAAABCAT+vSOYPuYVTDopDW08576d5Sb" + "edXQMOu1op4CQIm98VKtAXvu5dfioi5VYAqpte8M+UxEMOMiQWJp+U9exYf6LuA" + "AAAQgEzkIpX3yKXPaPcK17mNx40ujEDitm4ARmbhAge0sFhZtf7YIgI55b6vkI8" + "JvMJkzQCBF1cpNOaIpVh1nFZNBphMQ==" + ), + 'ecdsa-sha2-nistp521': ( + "AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHosAOHAI1" + "ZkerbKYQ72S6uit1u77PCj/OalZtXgsxv0TTAZB273puG2X94CQ8yyNHcby87zF" + "ZHdv5BSKyZ/cyREAAeiAcSakop9VS3+bUfZpEIqwBZXarwUjnRnxprkcQ0rfCCd" + "agkGZr/OA7DemK2D8tKLTHsKoEEWNImo6/pXDkFxA==" + ), + 'ecdsa': ( + "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAVj+efQl0Q" + "r5Y/VB1Rl8stU3HSmtjqE4tfJssTQaazESk82NPSxlkvYku+DDkjQuzDfmY1+AN" + "7Y314SrJTw+K0=" + ), + 'sk-ecdsa-sha2-nistp256-cert-v01@openssh.com': ( + "AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIIxzuxl4z3u" + "wAIslne8Huft+1n1IhHAlNbWZkQyyECCGAAAAIFOG6kY7Rf4UtCFvPwKgo/BztX" + "ck2xC4a2WyA34XtIwZAAAAAAAAAAgAAAACAAAABmp1bGl1cwAAABIAAAAFaG9zd" + "DEAAAAFaG9zdDIAAAAANowB8AAAAABNHmBwAAAAAAAAAAAAAAAAAAAAMwAAAAtz" + "c2gtZWQyNTUxOQAAACBThupGO0X+FLQhbz8CoKPwc7V3JNsQuGtlsgN+F7SMGQA" + "AAFMAAAALc3NoLWVkMjU1MTkAAABABGTn+Bmz86Ajk+iqKCSdP5NClsYzn4alJd" + "0V5bizhP0Kumc/HbqQfSt684J1WdSzih+EjvnTgBhK9jTBKb90AQ==" ), - 'sk-ecdsa-sha2-nistp256@openssh.com': ( "AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHA" "yNTYAAABBBIELQJ2DgvaX1yQlKFokfWM2suuaCFI2qp0eJodHyg6O4ifxc3XpRK" "d1OS8dNYQtE/YjdXSrA+AOnMF5ns2Nkx4AAAAEc3NoOg==" ), - + 'sk-ssh-ed25519-cert-v01@openssh.com': ( + "AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIIxzuxl4z3u" + "wAIslne8Huft+1n1IhHAlNbWZkQyyECCGAAAAIFOG6kY7Rf4UtCFvPwKgo/BztX" + "ck2xC4a2WyA34XtIwZAAAAAAAAAAgAAAACAAAABmp1bGl1cwAAABIAAAAFaG9zd" + "DEAAAAFaG9zdDIAAAAANowB8AAAAABNHmBwAAAAAAAAAAAAAAAAAAAAMwAAAAtz" + "c2gtZWQyNTUxOQAAACBThupGO0X+FLQhbz8CoKPwc7V3JNsQuGtlsgN+F7SMGQA" + "AAFMAAAALc3NoLWVkMjU1MTkAAABABGTn+Bmz86Ajk+iqKCSdP5NClsYzn4alJd" + "0V5bizhP0Kumc/HbqQfSt684J1WdSzih+EjvnTgBhK9jTBKb90AQ==" + ), 'sk-ssh-ed25519@openssh.com': ( - "AAAAC3NzaC1lZDI1NTE5AAAAID6ruQ7P92Dy4nsISZB1n5hQBLQXlMDbUcwdiGz" - "orjYF" + "AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICFo/k5LU8863u66YC9" + "eUO2170QduohPURkQnbLa/dczAAAABHNzaDo=" + ), + 'ssh-dss-cert-v01@openssh.com': ( + "AAAAHHNzaC1kc3MtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgdTlbNU9Hn9Qng3F" + "HxwH971bxCIoq1ern/QWFFDWXgmYAAACBAPqS600VGwdPAQC/p3f0uGyrLVql0c" + "Fn1zYd/JGvtabKnIYjLaYprje/NcjwI3CZFJiz4Dp3S8kLs+X5/1DMn/Tg1Y4D4" + "yLB+6vCtHcJF7rVBFhvw/KZwc7G54ez3khyOtsg82fzpyOc8/mq+/+C5TMKO7DD" + "jMF0k5emWKCsa3ZfAAAAFQCjA/+dKkMu4/CWjJPtfl7YNaStNQAAAIEA7uX1BVV" + "tJKjLmWrpw62+l/xSXA5rr7MHBuWjiCYV3VHBfXJaQDyRDtGuEJKDwdzqYgacpG" + "ApGWL/cuBtJ9nShsUl6GRG0Ra03g+Hx9VR5LviJBsjAVB4qVgciU1NGga0Bt2Le" + "cd1X4EGQRBzVXeuOpiqGM6jP/I2yDMs0Pboet0AAACBAOdXpyfmobEBaOqZAuvg" + "j1P0uhjG2P31Ufurv22FWPBU3A9qrkxbOXwE0LwvjCvrsQV/lrYhJz/tiys40Ve" + "ahulWZE5SAHMXGIf95LiLSgaXMjko7joot+LK84ltLymwZ4QMnYjnZSSclf1Uuy" + "QMcUtb34+I0u9Ycnyhp2mSFsQtAAAAAAAAAAYAAAACAAAABmp1bGl1cwAAABIAA" + "AAFaG9zdDEAAAAFaG9zdDIAAAAANowB8AAAAABNHmBwAAAAAAAAAAAAAAAAAAAA" + "MwAAAAtzc2gtZWQyNTUxOQAAACBThupGO0X+FLQhbz8CoKPwc7V3JNsQuGtlsgN" + "+F7SMGQAAAFMAAAALc3NoLWVkMjU1MTkAAABAh/z1LIdNL1b66tQ8t9DY9BTB3B" + "QKpTKmc7ezyFKLwl96yaIniZwD9Ticdbe/8i/Li3uCFE3EAt8NAIv9zff8Bg==" + ), + 'ssh-dss': ( + "AAAAB3NzaC1kc3MAAACBAPqS600VGwdPAQC/p3f0uGyrLVql0cFn1zYd/JGvtab" + "KnIYjLaYprje/NcjwI3CZFJiz4Dp3S8kLs+X5/1DMn/Tg1Y4D4yLB+6vCtHcJF7" + "rVBFhvw/KZwc7G54ez3khyOtsg82fzpyOc8/mq+/+C5TMKO7DDjMF0k5emWKCsa" + "3ZfAAAAFQCjA/+dKkMu4/CWjJPtfl7YNaStNQAAAIEA7uX1BVVtJKjLmWrpw62+" + "l/xSXA5rr7MHBuWjiCYV3VHBfXJaQDyRDtGuEJKDwdzqYgacpGApGWL/cuBtJ9n" + "ShsUl6GRG0Ra03g+Hx9VR5LviJBsjAVB4qVgciU1NGga0Bt2Lecd1X4EGQRBzVX" + "euOpiqGM6jP/I2yDMs0Pboet0AAACBAOdXpyfmobEBaOqZAuvgj1P0uhjG2P31U" + "furv22FWPBU3A9qrkxbOXwE0LwvjCvrsQV/lrYhJz/tiys40VeahulWZE5SAHMX" + "GIf95LiLSgaXMjko7joot+LK84ltLymwZ4QMnYjnZSSclf1UuyQMcUtb34+I0u9" + "Ycnyhp2mSFsQt" + ), + 'ssh-ed25519-cert-v01@openssh.com': ( + "AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIIxzuxl4z3u" + "wAIslne8Huft+1n1IhHAlNbWZkQyyECCGAAAAIFOG6kY7Rf4UtCFvPwKgo/BztX" + "ck2xC4a2WyA34XtIwZAAAAAAAAAAgAAAACAAAABmp1bGl1cwAAABIAAAAFaG9zd" + "DEAAAAFaG9zdDIAAAAANowB8AAAAABNHmBwAAAAAAAAAAAAAAAAAAAAMwAAAAtz" + "c2gtZWQyNTUxOQAAACBThupGO0X+FLQhbz8CoKPwc7V3JNsQuGtlsgN+F7SMGQA" + "AAFMAAAALc3NoLWVkMjU1MTkAAABABGTn+Bmz86Ajk+iqKCSdP5NClsYzn4alJd" + "0V5bizhP0Kumc/HbqQfSt684J1WdSzih+EjvnTgBhK9jTBKb90AQ==" + ), + 'ssh-ed25519': ( + "AAAAC3NzaC1lZDI1NTE5AAAAIFOG6kY7Rf4UtCFvPwKgo/BztXck2xC4a2WyA34" + "XtIwZ" + ), + 'ssh-rsa-cert-v01@openssh.com': ( + "AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg98LhS2EHxLOWCLo" + "pZPwHdg/RJXusnkOqQXSc9R7aITkAAAADAQABAAAAgQDLV5lUTt7FrADseB/CGh" + "EZzpoojjEW5y8+ePvLppmK3MmMI18ud6vxzpK3bwZLYkVSyfJYI0HmIuGhdu7yM" + "rW6wb84gbq8C31Xoe9EORcIUuGSvDKdNSM1SjlhDquRblDFB8kToqXyx1lqrXec" + "XylxIUOL0jE+u0rU1967pDJx+wAAAAAAAAAFAAAAAgAAAAZqdWxpdXMAAAASAAA" + "ABWhvc3QxAAAABWhvc3QyAAAAADaMAfAAAAAATR5gcAAAAAAAAAAAAAAAAAAAAD" + "MAAAALc3NoLWVkMjU1MTkAAAAgU4bqRjtF/hS0IW8/AqCj8HO1dyTbELhrZbIDf" + "he0jBkAAABTAAAAC3NzaC1lZDI1NTE5AAAAQI3QGlUCzC07KorupxpDkkGy6tni" + "aZ8EvBflzvv+itXWNchGvfUeHmVT6aX0sRqehdz/lR+GmXRoZBhofwh0qAM=" + ), + 'ssh-rsa': ( + "AAAAB3NzaC1yc2EAAAADAQABAAAAgQDLV5lUTt7FrADseB/CGhEZzpoojjEW5y8" + "+ePvLppmK3MmMI18ud6vxzpK3bwZLYkVSyfJYI0HmIuGhdu7yMrW6wb84gbq8C3" + "1Xoe9EORcIUuGSvDKdNSM1SjlhDquRblDFB8kToqXyx1lqrXecXylxIUOL0jE+u" + "0rU1967pDJx+w==" + ), + 'ssh-xmss-cert-v01@openssh.com': ( + "AAAAHXNzaC14bXNzLWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIM2UD0IH+Igsekq" + "xjTO5f36exX4WGRMCtDGPjwfbXblxAAAAFVhNU1NfU0hBMi0yNTZfVzE2X0gxMA" + "AAAEDI83/K5JMOy0BMJgQypRdz35ApAnoQinMJ8ZMoZPaEJF8Z4rANQlfzaAXum" + "N3RDU5CGIUGGw+WJ904G/wwEq9CAAAAAAAAAAAAAAABAAAACWtleXMveG1zcwAA" + "AAAAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJ" + "kaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybW" + "l0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVyb" + "Wl0LXVzZXItcmMAAAAAAAAAAAAAAHUAAAAUc3NoLXhtc3NAb3BlbnNzaC5jb20A" + "AAAVWE1TU19TSEEyLTI1Nl9XMTZfSDEwAAAAQA+irIyT2kaOd07YWZT/QItzNBZ" + "kUYwnqZJihQ7BxuyiDP4HEFbnfYnnIZXx9Asyi7vDyZRvi+AMSOzmMSq4JnkAAA" + "ngAAAAFHNzaC14bXNzQG9wZW5zc2guY29tAAAJxAAAAAAFjaKTDc+7Hu2uFGIab" + "3NAku8HbbGtrq/uGXOxmqxu4RaLqmwofl5iXk3nMwWEhQAb99vAc9D9ZFtfxJO4" + "STYUTjbj4BxToov/uvbYfE5VeO6sMvkGglgh9YHkCTAItsG8EmGT1SIPfKYzLlN" + "jvUlbcv0PaPFMJ0wzS9mNfuRf+KUhf3dxQ6zaMrBH3KEJ8Me2kNjhnh6rNPROeI" + "N+IcStSKsydYuiySGKS/orsH38XysuK5QqLizbHJY3cqLbkW9LsIijb+pfEJh4Y" + "bOoAbraWAv9ySnWCyRhvw2x8uJ0ZM+p5WSRiZfB3JxCpOhHgiKa9TdmdjnAtnED" + "zqKOj/gM7y9mesn5ydQI0bENOGymlw0ThUGKbXMxn87Hc9dDPURUBmoO3NGjPDf" + "7meS39A1ZEGtCe/pbZU9iwxqGx4wJYvB4lutRP2tYC1pA6hjQCcHibvxl5iqj+1" + "jRjwPr8dbTm4PdETW/7JDSVQXKjxOT0kRLHLelJNeviGx5zSHR5PtnUP3nOBMme" + "hk9DwcQW9vfKeWSnu9CMnF8xvYJxoPKQwmz0TKo+YVOUnc9/Ma+Ykseof9/W+rk" + "USQGELc4x7XE5XBKYZZP2PmtxirQ3qTWFw+CeTX2Oa+jPYkzOa7jgmHJ3Fi9Xqw" + "3L844vRl97e28GmwS0M1SXH+ohES0mO4EcrGh5OLyXBaRTV5QMo+4Bg6FH/HwEn" + "gG1mdEOAqvctK2QC70c4lHGzfexqwQ2U6WUADPcd/BLOE8Noj1EiXYwZrSA1okZ" + "FYnS/b89Uo51D2FE4A33V4gcxAglGzVNtrPulkguNT9B4jjNgdIwkTBL9k3ujkG" + "og6pyYjZ0J5Jp5XPBn+y0LqrpOdZijzrc1OJbX59tTeIbDkM7Fw8As4a03hQPDU" + "FTOdyMHgLnuLhLXOcqIjvW5axZL/Kx3UET8wrSHizPoa6NErCG4v5mC2M4kBSOW" + "In1QV27QMaHkL/ZAa3mPsW5iFZtOVEGzw2BW4MZs0qOrcloCENZzOHiMBroKEkH" + "AbzX6D1FLwml2JpXq4JXlCrdIiFm4+co5ygnWPqb4QGzMlcbjW/x/A16TthNuok" + "wwlmK5ndKZ76LahyGKEwx2Nv0D+0xilEC1EldtiYRdBNlcGbU/A5EhH5bQ9KVIH" + "wjWm35pRPLl5224//nqvQKhwFCn9otsR35XHXev3IQ0or3HmQxIvSDOwir1l66z" + "FFrkyHMWexoucbTBxw1MN3hLb247lcVYJ5+hspJgyoYbfR5RkQVDzhpzskogP7l" + "K5t0bphu+f+hpvrca7DAiiIZkcR4R1UUQoRnJPRXyXOxlxwS10b51cP9p9jzvZj" + "d2LUs8yx1KXWSxNHo6WmtYONNaUfdX2OB5+QCvPULfLfFeBrqpX6Yp5wQMM5Cup" + "k8FEfV07eEgQkVE9nDGKHglWo3kUdOF+XCqWAnXn0b/2bNS9/SSAz6gB1GTFcN/" + "QsFGlC0QgbCJbQ7LQM6hilRWupWvN5zZ/+HJyyRHuSs5VnQnKiGbIa6AIhx7mP7" + "8T82gKjU3mHLJWMGKcT3cY8R958Gs+w4OT71VJRMw3kK6qk02WCbD5OtbFeC6ib" + "KRJKdLK3BzjVs/Fzu3mHVucVby3jpvG1Z8HKspKFhvV7gjFEPu8qHKi4MdAlif/" + "KakyPk8yZB/dMfaxh7Kv/WpJuSwWNs7RNh29e+ZG+POxqRPWiHqiVw7P17a4dN7" + "nkVOawdBEyxI4NAY+4zW+0r0bAy6zNBitBvkq3IXfr3De6Upex52sPHvK04PXoV" + "RI6gjnpPSbLLjpSpcHPKgB7DWefLfhd63BUQbc57D8zm8Jd6qtmzcSKn+wz5/zT" + "0I6v9I4a+DOjjyqpPpzzNU76pt+Y8SuBgHzMm1vcAdNWlbQrqtScvm0T9AkYni6" + "47vSh77uwRZKDtMCMSU151tVUavXhtLYLZ6/ll5NhMXkkx8//i7pk1OBjN5LHVQ" + "0QeimRmavlXU1dJ2rwsFAV+9dDdJXUNOq3VLTo9FrbOzZiWtzzjkJpVJAFREnBn" + "yIDBK5AXtXE1RzfzaBHzbI2e2kO3t+CSNLWYMFYHBDqaeICYQ9+I9aO/8hnzVSo" + "fp+8IfWO8iJhppqynUniicW2oCzrn4oczzYNEjImt8CGY7g90GxWfX+ZgXMJfy/" + "bQiFQL3dZvVypDHEbFoIGz+sxkL83xrP4MZV1V9Wwa64lDXYv01Kp4kQXmmnAZY" + "KlxBoWqYDXLeLLguSOZxDSCIDpd+YPm39wQ3wOysHW2fmsWtp6FPPlQRUYjsGIP" + "lfrkJzpoeaPKDtF1m+mOULfEh9kvTKCmKRi385T9ON39D97eWqaM4CCfUGImvdR" + "DlZLXvjmaAh5BVJ8VJxk75OkP14vWFFlTMv0/k4BYLDKsrNqCREC/G9nQBGcD2D" + "CLwC2zPNaX2Y9dnyDs2csjN1ibsYttUMnXMgBcnCOkIkVS496Bpc0jQMf35GUgb" + "PSyliwqCoXjEBP/2eyq0VLFKQ0fXGsHWvElT+Y/7RYNTiYVWttFMxN5H/2EGcgn" + "lfNHLpQvXH9u/3YminS9GX30hQ7jFhpHXxkK8gZ1mpHL9K3pfKS3lG6EF9wQ23O" + "qS8m995SG3dp3MzmywxXen/ukXx6bDiEl5VaOvdRUcbhr5Eb3exVDfdWiaJdTYF" + "WfIfJOWx88drB3J9vFwjmuaoNEOjFsoNAMYthYOxXraXaJblvmUKz6tJ3T8/G7x" + "B9QGYNBsOqBolKoKHBtsWCosLdWhEZr9VFFh2AJrOW1fx24CIkHnvfTtwYORvQq" + "Ckuq2bZS1EOdsFkU/X5gwPl6gSUTNhV3IooXkBFL3iBEbfZ6JpQHVVyIuNWjIyN" + "b2liCn9Nn0VHeNMMRLl7uyw4eKlOX2ogom8SLvihYxcJoqlCwtehpLsKsU4iwME" + "PmDteW5GBGf4GbnqPFkpIT5ed1jGhdZt/dpsp+v6QhYH1uX4pPxdkdnuc84/yb9" + "k4SQdKBJ+l3KZkfIxApNWOZqicJfz/eWwS/15hiamRKRuiiUV2zS1V+l8bV7g9O" + "gy5scPBMONxtfFlGEKikZKurFmzboCOGQKRBEUCpsY44IAp443h59pQdVIb0YAS" + "kfp2xKHwYij6ELRNdH5MrlFa3bNTskGO4k5XDR4cl/Sma2SXgBKb5XjTtlNmCQG" + "Gv6lOW7pGXNhs5wfd8K9Ukm6KeLTIlYn1iiKM37YQpa+4JQYljCYhumbqNCkPTZ" + "rNYClh8fQEQ8XuOCDpomMWu58YOTfbZNMDWs/Ou7RfCjX+VNwjPShDK9joMwWKc" + "Jy3QalZbaoWtcyyvXxR2sqhVR9F7Cmasq4=" ), - 'ssh-xmss@openssh.com': ( "AAAAFHNzaC14bXNzQG9wZW5zc2guY29tAAAAFVhNU1NfU0hBMi0yNTZfVzE2X0g" - "xMAAAAEDHIipAYa8ASBWebNNU4Jgr7fth9hiZFuowxb9oA/NBRLWFmV0r3unamq" - "qauYyOtdc05Iu9BPpeVg4zlu6P4P53" + "xMAAAAECqptWnK94d+Sj2xcdTu8gz+75lawZoLSZFqC5IhbYuT/Z3oBZCim6yt+" + "HAmk6MKldl3Fg+74v4sR/SII0I0Jv/" ), - - 'webauthn-sk-ecdsa-sha2-nistp256@openssh.com': ( - "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEM7EmkW4s0" - "zGB4fkyvK4Ws9kn+79mJo5RH+3A/fCYKpZnPAIkIo//i6Bzx4ETkJRQUqDzZXSi" - "FX0VfrSm3oLQ0=" - ) } TEST_OPTIONS = ( From 22761ba745ea91458777e21418e99bea91ac3b7b Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Wed, 15 Jul 2020 23:32:17 +0200 Subject: [PATCH 06/23] test_sshutil: Test all the valid key types in the AuthKeyLineParser --- tests/unittests/test_sshutil.py | 45 ++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py index 77c9275a730..09cd0c60e8b 100644 --- a/tests/unittests/test_sshutil.py +++ b/tests/unittests/test_sshutil.py @@ -277,6 +277,31 @@ ), } +KEY_TYPES = [ + 'dsa', + 'ecdsa', + 'rsa', + 'ed25519', + 'ecdsa-sha2-nistp256-cert-v01@openssh.com', + 'ecdsa-sha2-nistp256', + 'ecdsa-sha2-nistp384-cert-v01@openssh.com', + 'ecdsa-sha2-nistp384', + 'ecdsa-sha2-nistp521-cert-v01@openssh.com', + 'ecdsa-sha2-nistp521', + 'sk-ecdsa-sha2-nistp256-cert-v01@openssh.com', + 'sk-ecdsa-sha2-nistp256@openssh.com', + 'sk-ssh-ed25519-cert-v01@openssh.com', + 'sk-ssh-ed25519@openssh.com', + 'ssh-dss-cert-v01@openssh.com', + 'ssh-dss', + 'ssh-ed25519-cert-v01@openssh.com', + 'ssh-ed25519', + 'ssh-rsa-cert-v01@openssh.com', + 'ssh-rsa', + 'ssh-xmss-cert-v01@openssh.com', + 'ssh-xmss@openssh.com', +] + TEST_OPTIONS = ( "no-port-forwarding,no-agent-forwarding,no-X11-forwarding," 'command="echo \'Please login as the user \"ubuntu\" rather than the' @@ -288,21 +313,7 @@ class TestAuthKeyLineParser(test_helpers.CiTestCase): def test_simple_parse(self): # test key line with common 3 fields (keytype, base64, comment) parser = ssh_util.AuthKeyLineParser() - - ktypes = [ - 'rsa', - 'ecdsa', - 'dsa', - 'ecdsa-sha2-nistp256', - 'ecdsa-sha2-nistp384', - 'ecdsa-sha2-nistp521', - 'sk-ecdsa-sha2-nistp256@openssh.com', - 'sk-ssh-ed25519@openssh.com', - 'ssh-xmss@openssh.com', - 'webauthn-sk-ecdsa-sha2-nistp256@openssh.com' - ] - - for ktype in ktypes: + for ktype in KEY_TYPES: content = VALID_CONTENT[ktype] comment = 'user-%s@host' % ktype line = ' '.join((ktype, content, comment,)) @@ -316,7 +327,7 @@ def test_simple_parse(self): def test_parse_no_comment(self): # test key line with key type and base64 only parser = ssh_util.AuthKeyLineParser() - for ktype in ['rsa', 'ecdsa', 'dsa']: + for ktype in KEY_TYPES: content = VALID_CONTENT[ktype] line = ' '.join((ktype, content,)) key = parser.parse(line) @@ -330,7 +341,7 @@ def test_parse_with_keyoptions(self): # test key line with options in it parser = ssh_util.AuthKeyLineParser() options = TEST_OPTIONS - for ktype in ['rsa', 'ecdsa', 'dsa']: + for ktype in KEY_TYPES: content = VALID_CONTENT[ktype] comment = 'user-%s@host' % ktype line = ' '.join((options, ktype, content, comment,)) From 6f09bcaaa17375a2e1a678ac994224fbcd134577 Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Wed, 15 Jul 2020 23:44:51 +0200 Subject: [PATCH 07/23] cc_ssh: Add a list of supported key types for the docs --- cloudinit/config/cc_ssh.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py index 228e5e0d3cf..b04129d1b75 100755 --- a/cloudinit/config/cc_ssh.py +++ b/cloudinit/config/cc_ssh.py @@ -35,6 +35,27 @@ no-port-forwarding,no-agent-forwarding,no-X11-forwarding +Supported public key types for the ``ssh_authorized_keys`` are: + + - ecdsa-sha2-nistp256-cert-v01@openssh.com + - ecdsa-sha2-nistp256 + - ecdsa-sha2-nistp384-cert-v01@openssh.com + - ecdsa-sha2-nistp384 + - ecdsa-sha2-nistp521-cert-v01@openssh.com + - ecdsa-sha2-nistp521 + - sk-ecdsa-sha2-nistp256-cert-v01@openssh.com + - sk-ecdsa-sha2-nistp256@openssh.com + - sk-ssh-ed25519-cert-v01@openssh.com + - sk-ssh-ed25519@openssh.com + - ssh-dss-cert-v01@openssh.com + - ssh-dss + - ssh-ed25519-cert-v01@openssh.com + - ssh-ed25519 + - ssh-rsa-cert-v01@openssh.com + - ssh-rsa + - ssh-xmss-cert-v01@openssh.com + - ssh-xmss@openssh.com + Host Keys ^^^^^^^^^ From f77a723460f73017f65ea8550ffd6010744556b8 Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Wed, 15 Jul 2020 23:49:16 +0200 Subject: [PATCH 08/23] ssh_util: remove dsa, ecdsa, ed25519 and rsa, as they're not actually a valid entry in authorized_keys They are just the short names used for human interactions, e.g. "ssh-keygen -t rsa" and they should never appear in public keys --- cloudinit/ssh_util.py | 4 ---- tests/unittests/test_sshutil.py | 4 ---- 2 files changed, 8 deletions(-) diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py index ddf181ccbfa..c69d78f8355 100644 --- a/cloudinit/ssh_util.py +++ b/cloudinit/ssh_util.py @@ -20,16 +20,12 @@ # taken from OpenSSH source openssh-8.3p1/sshkey.c: # static const struct keytype keytypes[] = { ... } VALID_KEY_TYPES = ( - "dsa", "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ecdsa-sha2-nistp521", - "ecdsa", - "ed25519", - "rsa", "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", "sk-ecdsa-sha2-nistp256@openssh.com", "sk-ssh-ed25519-cert-v01@openssh.com", diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py index 09cd0c60e8b..0955960554b 100644 --- a/tests/unittests/test_sshutil.py +++ b/tests/unittests/test_sshutil.py @@ -278,10 +278,6 @@ } KEY_TYPES = [ - 'dsa', - 'ecdsa', - 'rsa', - 'ed25519', 'ecdsa-sha2-nistp256-cert-v01@openssh.com', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384-cert-v01@openssh.com', From fa351e762fddf626f819cad6bc2f662372dc5811 Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Thu, 16 Jul 2020 00:07:03 +0200 Subject: [PATCH 09/23] test_sshutil: remove dsa, ecdsa, ed25519 and rsa, as they're not actually a valid entry in authorized_keys --- tests/unittests/test_sshutil.py | 61 +++++++++------------------------ 1 file changed, 16 insertions(+), 45 deletions(-) diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py index 0955960554b..50a9b3e241c 100644 --- a/tests/unittests/test_sshutil.py +++ b/tests/unittests/test_sshutil.py @@ -16,35 +16,6 @@ VALID_CONTENT = { - 'dsa': ( - "AAAAB3NzaC1kc3MAAACBAIrjOQSlSea19bExXBMBKBvcLhBoVvNBjCppNzllipF" - "W4jgIOMcNanULRrZGjkOKat6MWJNetSbV1E6IOFDQ16rQgsh/OvYU9XhzM8seLa" - "A21VszZuhIV7/2DE3vxu7B54zVzueG1O1Deq6goQCRGWBUnqO2yluJiG4HzrnDa" - "jzRAAAAFQDMPO96qXd4F5A+5b2f2MO7SpVomQAAAIBpC3K2zIbDLqBBs1fn7rsv" - "KcJvwihdlVjG7UXsDB76P2GNqVG+IlYPpJZ8TO/B/fzTMtrdXp9pSm9OY1+BgN4" - "REsZ2WNcvfgY33aWaEM+ieCcQigvxrNAF2FTVcbUIIxAn6SmHuQSWrLSfdHc8H7" - "hsrgeUPPdzjBD/cv2ZmqwZ1AAAAIAplIsScrJut5wJMgyK1JG0Kbw9JYQpLe95P" - "obB069g8+mYR8U0fysmTEdR44mMu0VNU5E5OhTYoTGfXrVrkR134LqFM2zpVVbE" - "JNDnIqDHxTkc6LY2vu8Y2pQ3/bVnllZZOda2oD5HQ7ovygQa6CH+fbaZHbdDUX/" - "5z7u2rVAlDw==" - ), - 'ecdsa': ( - "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBITrGBB3cgJ" - "J7fPxvtMW9H3oRisNpJ3OAslxZeyP7I0A9BPAW0RQIwHVtVnM7zrp4nI+JLZov/" - "Ql7lc2leWL7CY=" - ), - 'rsa': ( - "AAAAB3NzaC1yc2EAAAABIwAAAQEA3I7VUf2l5gSn5uavROsc5HRDpZdQueUq5oz" - "emNSj8T7enqKHOEaFoU2VoPgGEWC9RyzSQVeyD6s7APMcE82EtmW4skVEgEGSbD" - "c1pvxzxtchBj78hJP6Cf5TCMFSXw+Fz5rF1dR23QDbN1mkHs7adr8GW4kSWqU7Q" - "7NDwfIrJJtO7Hi42GyXtvEONHbiRPOe8stqUly7MvUoN+5kfjBM8Qqpfl2+FNhT" - "YWpMfYdPUnE7u536WqzFmsaqJctz3gBxH9Ex7dFtrxR4qiqEr9Qtlu3xGn7Bw07" - "/+i1D+ey3ONkZLN+LQ714cgj8fRS4Hj29SCmXp5Kt5/82cD/VN3NtHw==" - ), - 'ed25519': ( - "AAAAC3NzaC1lZDI1NTE5AAAAIA1J77+CrJ8p6/vWCEzuylqJNMHUP/XmeYyGVWb" - "8lnDd" - ), 'ecdsa-sha2-nistp256-cert-v01@openssh.com': ( "AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAA" "gQIfwT/+UX68/hlKsdKuaOuAVB6ftTg03SlP/uH4OBEwAAAAIbmlzdHAyNTYAAA" @@ -352,7 +323,7 @@ def test_parse_with_options_passed_in(self): # test key line with key type and base64 only parser = ssh_util.AuthKeyLineParser() - baseline = ' '.join(("rsa", VALID_CONTENT['rsa'], "user@host")) + baseline = ' '.join(("ssh-rsa", VALID_CONTENT['ssh-rsa'], "user@host")) myopts = "no-port-forwarding,no-agent-forwarding" key = parser.parse("allowedopt" + " " + baseline) @@ -363,7 +334,7 @@ def test_parse_with_options_passed_in(self): def test_parse_invalid_keytype(self): parser = ssh_util.AuthKeyLineParser() - key = parser.parse(' '.join(["badkeytype", VALID_CONTENT['rsa']])) + key = parser.parse(' '.join(["badkeytype", VALID_CONTENT['ssh-rsa']])) self.assertFalse(key.valid()) @@ -373,11 +344,11 @@ class TestUpdateAuthorizedKeys(test_helpers.CiTestCase): def test_new_keys_replace(self): """new entries with the same base64 should replace old.""" orig_entries = [ - ' '.join(('rsa', VALID_CONTENT['rsa'], 'orig_comment1')), - ' '.join(('dsa', VALID_CONTENT['dsa'], 'orig_comment2'))] + ' '.join(('rsa', VALID_CONTENT['ssh-rsa'], 'orig_comment1')), + ' '.join(('dsa', VALID_CONTENT['ssh-dss'], 'orig_comment2'))] new_entries = [ - ' '.join(('rsa', VALID_CONTENT['rsa'], 'new_comment1')), ] + ' '.join(('rsa', VALID_CONTENT['ssh-rsa'], 'new_comment1')), ] expected = '\n'.join([new_entries[0], orig_entries[1]]) + '\n' @@ -391,11 +362,11 @@ def test_new_keys_replace(self): def test_new_invalid_keys_are_ignored(self): """new entries that are invalid should be skipped.""" orig_entries = [ - ' '.join(('rsa', VALID_CONTENT['rsa'], 'orig_comment1')), - ' '.join(('dsa', VALID_CONTENT['dsa'], 'orig_comment2'))] + ' '.join(('rsa', VALID_CONTENT['ssh-rsa'], 'orig_comment1')), + ' '.join(('dsa', VALID_CONTENT['ssh-dss'], 'orig_comment2'))] new_entries = [ - ' '.join(('rsa', VALID_CONTENT['rsa'], 'new_comment1')), + ' '.join(('rsa', VALID_CONTENT['ssh-rsa'], 'new_comment1')), 'xxx-invalid-thing1', 'xxx-invalid-blob2' ] @@ -600,10 +571,10 @@ def test_multiple_authorizedkeys_file_order1(self, m_getpwnam): fpw = FakePwEnt(pw_name='bobby', pw_dir='/home2/bobby') m_getpwnam.return_value = fpw authorized_keys = self.tmp_path('authorized_keys') - util.write_file(authorized_keys, VALID_CONTENT['rsa']) + util.write_file(authorized_keys, VALID_CONTENT['ssh-rsa']) user_keys = self.tmp_path('user_keys') - util.write_file(user_keys, VALID_CONTENT['dsa']) + util.write_file(user_keys, VALID_CONTENT['ssh-dss']) sshd_config = self.tmp_path('sshd_config') util.write_file( @@ -616,18 +587,18 @@ def test_multiple_authorizedkeys_file_order1(self, m_getpwnam): content = ssh_util.update_authorized_keys(auth_key_entries, []) self.assertEqual("%s/.ssh/authorized_keys" % fpw.pw_dir, auth_key_fn) - self.assertTrue(VALID_CONTENT['rsa'] in content) - self.assertTrue(VALID_CONTENT['dsa'] in content) + self.assertTrue(VALID_CONTENT['ssh-rsa'] in content) + self.assertTrue(VALID_CONTENT['ssh-dss'] in content) @patch("cloudinit.ssh_util.pwd.getpwnam") def test_multiple_authorizedkeys_file_order2(self, m_getpwnam): fpw = FakePwEnt(pw_name='suzie', pw_dir='/home/suzie') m_getpwnam.return_value = fpw authorized_keys = self.tmp_path('authorized_keys') - util.write_file(authorized_keys, VALID_CONTENT['rsa']) + util.write_file(authorized_keys, VALID_CONTENT['ssh-rsa']) user_keys = self.tmp_path('user_keys') - util.write_file(user_keys, VALID_CONTENT['dsa']) + util.write_file(user_keys, VALID_CONTENT['ssh-dss']) sshd_config = self.tmp_path('sshd_config') util.write_file( @@ -641,7 +612,7 @@ def test_multiple_authorizedkeys_file_order2(self, m_getpwnam): content = ssh_util.update_authorized_keys(auth_key_entries, []) self.assertEqual("%s/.ssh/authorized_keys" % fpw.pw_dir, auth_key_fn) - self.assertTrue(VALID_CONTENT['rsa'] in content) - self.assertTrue(VALID_CONTENT['dsa'] in content) + self.assertTrue(VALID_CONTENT['ssh-rsa'] in content) + self.assertTrue(VALID_CONTENT['ssh-dss'] in content) # vi: ts=4 expandtab From e96a9b54648532a83e6f43210668e9fab350789f Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Thu, 16 Jul 2020 00:41:28 +0200 Subject: [PATCH 10/23] test_sshutil: replace the rsa and dsa with ssh-rsa and ssh-dsa the places I missed it --- tests/unittests/test_sshutil.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py index 50a9b3e241c..919ee1162c4 100644 --- a/tests/unittests/test_sshutil.py +++ b/tests/unittests/test_sshutil.py @@ -344,11 +344,11 @@ class TestUpdateAuthorizedKeys(test_helpers.CiTestCase): def test_new_keys_replace(self): """new entries with the same base64 should replace old.""" orig_entries = [ - ' '.join(('rsa', VALID_CONTENT['ssh-rsa'], 'orig_comment1')), - ' '.join(('dsa', VALID_CONTENT['ssh-dss'], 'orig_comment2'))] + ' '.join(('ssh-rsa', VALID_CONTENT['ssh-rsa'], 'orig_comment1')), + ' '.join(('ssh-dss', VALID_CONTENT['ssh-dss'], 'orig_comment2'))] new_entries = [ - ' '.join(('rsa', VALID_CONTENT['ssh-rsa'], 'new_comment1')), ] + ' '.join(('ssh-rsa', VALID_CONTENT['ssh-rsa'], 'new_comment1')), ] expected = '\n'.join([new_entries[0], orig_entries[1]]) + '\n' @@ -362,11 +362,11 @@ def test_new_keys_replace(self): def test_new_invalid_keys_are_ignored(self): """new entries that are invalid should be skipped.""" orig_entries = [ - ' '.join(('rsa', VALID_CONTENT['ssh-rsa'], 'orig_comment1')), - ' '.join(('dsa', VALID_CONTENT['ssh-dss'], 'orig_comment2'))] + ' '.join(('ssh-rsa', VALID_CONTENT['ssh-rsa'], 'orig_comment1')), + ' '.join(('ssh-dss', VALID_CONTENT['ssh-dss'], 'orig_comment2'))] new_entries = [ - ' '.join(('rsa', VALID_CONTENT['ssh-rsa'], 'new_comment1')), + ' '.join(('ssh-rsa', VALID_CONTENT['ssh-rsa'], 'new_comment1')), 'xxx-invalid-thing1', 'xxx-invalid-blob2' ] From b6be5ba42c2a21c9034ab5a9cae632e5c39207de Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Thu, 16 Jul 2020 17:37:18 +0200 Subject: [PATCH 11/23] This reverts commit e96a9b5, fa351e7, f77a723 Revert "test_sshutil: replace the rsa and dsa with ssh-rsa and ssh-dsa the places I missed it" Revert "test_sshutil: remove dsa, ecdsa, ed25519 and rsa, as they're not actually a valid entry in authorized_keys" Revert "ssh_util: remove dsa, ecdsa, ed25519 and rsa, as they're not actually a valid entry in authorized_keys" --- cloudinit/ssh_util.py | 4 ++ tests/unittests/test_sshutil.py | 65 +++++++++++++++++++++++++-------- 2 files changed, 53 insertions(+), 16 deletions(-) diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py index c69d78f8355..ddf181ccbfa 100644 --- a/cloudinit/ssh_util.py +++ b/cloudinit/ssh_util.py @@ -20,12 +20,16 @@ # taken from OpenSSH source openssh-8.3p1/sshkey.c: # static const struct keytype keytypes[] = { ... } VALID_KEY_TYPES = ( + "dsa", "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ecdsa-sha2-nistp521", + "ecdsa", + "ed25519", + "rsa", "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", "sk-ecdsa-sha2-nistp256@openssh.com", "sk-ssh-ed25519-cert-v01@openssh.com", diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py index 919ee1162c4..09cd0c60e8b 100644 --- a/tests/unittests/test_sshutil.py +++ b/tests/unittests/test_sshutil.py @@ -16,6 +16,35 @@ VALID_CONTENT = { + 'dsa': ( + "AAAAB3NzaC1kc3MAAACBAIrjOQSlSea19bExXBMBKBvcLhBoVvNBjCppNzllipF" + "W4jgIOMcNanULRrZGjkOKat6MWJNetSbV1E6IOFDQ16rQgsh/OvYU9XhzM8seLa" + "A21VszZuhIV7/2DE3vxu7B54zVzueG1O1Deq6goQCRGWBUnqO2yluJiG4HzrnDa" + "jzRAAAAFQDMPO96qXd4F5A+5b2f2MO7SpVomQAAAIBpC3K2zIbDLqBBs1fn7rsv" + "KcJvwihdlVjG7UXsDB76P2GNqVG+IlYPpJZ8TO/B/fzTMtrdXp9pSm9OY1+BgN4" + "REsZ2WNcvfgY33aWaEM+ieCcQigvxrNAF2FTVcbUIIxAn6SmHuQSWrLSfdHc8H7" + "hsrgeUPPdzjBD/cv2ZmqwZ1AAAAIAplIsScrJut5wJMgyK1JG0Kbw9JYQpLe95P" + "obB069g8+mYR8U0fysmTEdR44mMu0VNU5E5OhTYoTGfXrVrkR134LqFM2zpVVbE" + "JNDnIqDHxTkc6LY2vu8Y2pQ3/bVnllZZOda2oD5HQ7ovygQa6CH+fbaZHbdDUX/" + "5z7u2rVAlDw==" + ), + 'ecdsa': ( + "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBITrGBB3cgJ" + "J7fPxvtMW9H3oRisNpJ3OAslxZeyP7I0A9BPAW0RQIwHVtVnM7zrp4nI+JLZov/" + "Ql7lc2leWL7CY=" + ), + 'rsa': ( + "AAAAB3NzaC1yc2EAAAABIwAAAQEA3I7VUf2l5gSn5uavROsc5HRDpZdQueUq5oz" + "emNSj8T7enqKHOEaFoU2VoPgGEWC9RyzSQVeyD6s7APMcE82EtmW4skVEgEGSbD" + "c1pvxzxtchBj78hJP6Cf5TCMFSXw+Fz5rF1dR23QDbN1mkHs7adr8GW4kSWqU7Q" + "7NDwfIrJJtO7Hi42GyXtvEONHbiRPOe8stqUly7MvUoN+5kfjBM8Qqpfl2+FNhT" + "YWpMfYdPUnE7u536WqzFmsaqJctz3gBxH9Ex7dFtrxR4qiqEr9Qtlu3xGn7Bw07" + "/+i1D+ey3ONkZLN+LQ714cgj8fRS4Hj29SCmXp5Kt5/82cD/VN3NtHw==" + ), + 'ed25519': ( + "AAAAC3NzaC1lZDI1NTE5AAAAIA1J77+CrJ8p6/vWCEzuylqJNMHUP/XmeYyGVWb" + "8lnDd" + ), 'ecdsa-sha2-nistp256-cert-v01@openssh.com': ( "AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAA" "gQIfwT/+UX68/hlKsdKuaOuAVB6ftTg03SlP/uH4OBEwAAAAIbmlzdHAyNTYAAA" @@ -249,6 +278,10 @@ } KEY_TYPES = [ + 'dsa', + 'ecdsa', + 'rsa', + 'ed25519', 'ecdsa-sha2-nistp256-cert-v01@openssh.com', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384-cert-v01@openssh.com', @@ -323,7 +356,7 @@ def test_parse_with_options_passed_in(self): # test key line with key type and base64 only parser = ssh_util.AuthKeyLineParser() - baseline = ' '.join(("ssh-rsa", VALID_CONTENT['ssh-rsa'], "user@host")) + baseline = ' '.join(("rsa", VALID_CONTENT['rsa'], "user@host")) myopts = "no-port-forwarding,no-agent-forwarding" key = parser.parse("allowedopt" + " " + baseline) @@ -334,7 +367,7 @@ def test_parse_with_options_passed_in(self): def test_parse_invalid_keytype(self): parser = ssh_util.AuthKeyLineParser() - key = parser.parse(' '.join(["badkeytype", VALID_CONTENT['ssh-rsa']])) + key = parser.parse(' '.join(["badkeytype", VALID_CONTENT['rsa']])) self.assertFalse(key.valid()) @@ -344,11 +377,11 @@ class TestUpdateAuthorizedKeys(test_helpers.CiTestCase): def test_new_keys_replace(self): """new entries with the same base64 should replace old.""" orig_entries = [ - ' '.join(('ssh-rsa', VALID_CONTENT['ssh-rsa'], 'orig_comment1')), - ' '.join(('ssh-dss', VALID_CONTENT['ssh-dss'], 'orig_comment2'))] + ' '.join(('rsa', VALID_CONTENT['rsa'], 'orig_comment1')), + ' '.join(('dsa', VALID_CONTENT['dsa'], 'orig_comment2'))] new_entries = [ - ' '.join(('ssh-rsa', VALID_CONTENT['ssh-rsa'], 'new_comment1')), ] + ' '.join(('rsa', VALID_CONTENT['rsa'], 'new_comment1')), ] expected = '\n'.join([new_entries[0], orig_entries[1]]) + '\n' @@ -362,11 +395,11 @@ def test_new_keys_replace(self): def test_new_invalid_keys_are_ignored(self): """new entries that are invalid should be skipped.""" orig_entries = [ - ' '.join(('ssh-rsa', VALID_CONTENT['ssh-rsa'], 'orig_comment1')), - ' '.join(('ssh-dss', VALID_CONTENT['ssh-dss'], 'orig_comment2'))] + ' '.join(('rsa', VALID_CONTENT['rsa'], 'orig_comment1')), + ' '.join(('dsa', VALID_CONTENT['dsa'], 'orig_comment2'))] new_entries = [ - ' '.join(('ssh-rsa', VALID_CONTENT['ssh-rsa'], 'new_comment1')), + ' '.join(('rsa', VALID_CONTENT['rsa'], 'new_comment1')), 'xxx-invalid-thing1', 'xxx-invalid-blob2' ] @@ -571,10 +604,10 @@ def test_multiple_authorizedkeys_file_order1(self, m_getpwnam): fpw = FakePwEnt(pw_name='bobby', pw_dir='/home2/bobby') m_getpwnam.return_value = fpw authorized_keys = self.tmp_path('authorized_keys') - util.write_file(authorized_keys, VALID_CONTENT['ssh-rsa']) + util.write_file(authorized_keys, VALID_CONTENT['rsa']) user_keys = self.tmp_path('user_keys') - util.write_file(user_keys, VALID_CONTENT['ssh-dss']) + util.write_file(user_keys, VALID_CONTENT['dsa']) sshd_config = self.tmp_path('sshd_config') util.write_file( @@ -587,18 +620,18 @@ def test_multiple_authorizedkeys_file_order1(self, m_getpwnam): content = ssh_util.update_authorized_keys(auth_key_entries, []) self.assertEqual("%s/.ssh/authorized_keys" % fpw.pw_dir, auth_key_fn) - self.assertTrue(VALID_CONTENT['ssh-rsa'] in content) - self.assertTrue(VALID_CONTENT['ssh-dss'] in content) + self.assertTrue(VALID_CONTENT['rsa'] in content) + self.assertTrue(VALID_CONTENT['dsa'] in content) @patch("cloudinit.ssh_util.pwd.getpwnam") def test_multiple_authorizedkeys_file_order2(self, m_getpwnam): fpw = FakePwEnt(pw_name='suzie', pw_dir='/home/suzie') m_getpwnam.return_value = fpw authorized_keys = self.tmp_path('authorized_keys') - util.write_file(authorized_keys, VALID_CONTENT['ssh-rsa']) + util.write_file(authorized_keys, VALID_CONTENT['rsa']) user_keys = self.tmp_path('user_keys') - util.write_file(user_keys, VALID_CONTENT['ssh-dss']) + util.write_file(user_keys, VALID_CONTENT['dsa']) sshd_config = self.tmp_path('sshd_config') util.write_file( @@ -612,7 +645,7 @@ def test_multiple_authorizedkeys_file_order2(self, m_getpwnam): content = ssh_util.update_authorized_keys(auth_key_entries, []) self.assertEqual("%s/.ssh/authorized_keys" % fpw.pw_dir, auth_key_fn) - self.assertTrue(VALID_CONTENT['ssh-rsa'] in content) - self.assertTrue(VALID_CONTENT['ssh-dss'] in content) + self.assertTrue(VALID_CONTENT['rsa'] in content) + self.assertTrue(VALID_CONTENT['dsa'] in content) # vi: ts=4 expandtab From 7471a22fff7a1c6eb49ac1d3eb0c46a06e29b456 Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Thu, 16 Jul 2020 17:46:27 +0200 Subject: [PATCH 12/23] test_sshutil: remove duplicate ecdsa --- tests/unittests/test_sshutil.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py index 09cd0c60e8b..56c3634d4dd 100644 --- a/tests/unittests/test_sshutil.py +++ b/tests/unittests/test_sshutil.py @@ -65,7 +65,6 @@ "6La3sXyfNlnjilvvGY6I2M8SvJj4o3X/46wcUbPWTaj4RF3EXwHvNxplYBwdPlk" "2zEecvf9Cs2BM=" ), - 'ecdsa-sha2-nistp384-cert-v01@openssh.com': ( "AAAAKGVjZHNhLXNoYTItbmlzdHAzODQtY2VydC12MDFAb3BlbnNzaC5jb20AAAA" "grnSvDsK1EnCZndO1IyGWcGkVgVSkPWi/XO2ybPFyLVUAAAAIbmlzdHAzODQAAA" @@ -113,11 +112,6 @@ "ZHdv5BSKyZ/cyREAAeiAcSakop9VS3+bUfZpEIqwBZXarwUjnRnxprkcQ0rfCCd" "agkGZr/OA7DemK2D8tKLTHsKoEEWNImo6/pXDkFxA==" ), - 'ecdsa': ( - "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAVj+efQl0Q" - "r5Y/VB1Rl8stU3HSmtjqE4tfJssTQaazESk82NPSxlkvYku+DDkjQuzDfmY1+AN" - "7Y314SrJTw+K0=" - ), 'sk-ecdsa-sha2-nistp256-cert-v01@openssh.com': ( "AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIIxzuxl4z3u" "wAIslne8Huft+1n1IhHAlNbWZkQyyECCGAAAAIFOG6kY7Rf4UtCFvPwKgo/BztX" From aa0643a98308ac19dfe8efeee57eff72cb4a270f Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Thu, 16 Jul 2020 18:39:47 +0200 Subject: [PATCH 13/23] test_sshutil: reduce the repetition of the key types by fetching them from the valid content --- tests/unittests/test_sshutil.py | 25 +------------------------ 1 file changed, 1 insertion(+), 24 deletions(-) diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py index 56c3634d4dd..54c35b8e3b3 100644 --- a/tests/unittests/test_sshutil.py +++ b/tests/unittests/test_sshutil.py @@ -271,30 +271,7 @@ ), } -KEY_TYPES = [ - 'dsa', - 'ecdsa', - 'rsa', - 'ed25519', - 'ecdsa-sha2-nistp256-cert-v01@openssh.com', - 'ecdsa-sha2-nistp256', - 'ecdsa-sha2-nistp384-cert-v01@openssh.com', - 'ecdsa-sha2-nistp384', - 'ecdsa-sha2-nistp521-cert-v01@openssh.com', - 'ecdsa-sha2-nistp521', - 'sk-ecdsa-sha2-nistp256-cert-v01@openssh.com', - 'sk-ecdsa-sha2-nistp256@openssh.com', - 'sk-ssh-ed25519-cert-v01@openssh.com', - 'sk-ssh-ed25519@openssh.com', - 'ssh-dss-cert-v01@openssh.com', - 'ssh-dss', - 'ssh-ed25519-cert-v01@openssh.com', - 'ssh-ed25519', - 'ssh-rsa-cert-v01@openssh.com', - 'ssh-rsa', - 'ssh-xmss-cert-v01@openssh.com', - 'ssh-xmss@openssh.com', -] +KEY_TYPES = list(VALID_CONTENT.keys()) TEST_OPTIONS = ( "no-port-forwarding,no-agent-forwarding,no-X11-forwarding," From 7c4af7c0b979f218fab758ee1676b68e5ee227bf Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Thu, 16 Jul 2020 18:44:16 +0200 Subject: [PATCH 14/23] test_sshutil: add a disclaimer to not use the public keys from the tests Most of them are copied from the unit testing data for OpenSSH https://github.com/openssh/openssh-portable/tree/master/regress/unittests/sshkey/testdata --- tests/unittests/test_sshutil.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py index 54c35b8e3b3..fd1d1baca71 100644 --- a/tests/unittests/test_sshutil.py +++ b/tests/unittests/test_sshutil.py @@ -15,6 +15,9 @@ "UNSET_%s" % n for n in FakePwEnt._fields) +# Do not use these public keys, most of them are fetched from +# the testdata for OpenSSH, and their private keys are available +# https://github.com/openssh/openssh-portable/tree/master/regress/unittests/sshkey/testdata VALID_CONTENT = { 'dsa': ( "AAAAB3NzaC1kc3MAAACBAIrjOQSlSea19bExXBMBKBvcLhBoVvNBjCppNzllipF" From 40b4e687e00602769b3f685ee7dae7eba294293a Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Thu, 16 Jul 2020 19:13:38 +0200 Subject: [PATCH 15/23] ssh_util: inform why dsa, rsa, ecdsa and ed25519 are stil in the valid key types --- cloudinit/ssh_util.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py index ddf181ccbfa..3682c6d2243 100644 --- a/cloudinit/ssh_util.py +++ b/cloudinit/ssh_util.py @@ -19,17 +19,19 @@ # taken from OpenSSH source openssh-8.3p1/sshkey.c: # static const struct keytype keytypes[] = { ... } +# dsa, rsa, ecdsa and ed25519 are added for legacy, as they are valid +# public keys in some old distros VALID_KEY_TYPES = ( "dsa", + "rsa", + "ecdsa", + "ed25519", "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ecdsa-sha2-nistp521", - "ecdsa", - "ed25519", - "rsa", "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", "sk-ecdsa-sha2-nistp256@openssh.com", "sk-ssh-ed25519-cert-v01@openssh.com", From 33700fe6805dbdaacd6e3c3ffcbb55ba92ed8c7a Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Thu, 16 Jul 2020 20:13:50 +0200 Subject: [PATCH 16/23] cc_ssh: add a pointer in the docs for authorized_keys where the list of supported key types come from --- cloudinit/config/cc_ssh.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py index b04129d1b75..9b2a333ae74 100755 --- a/cloudinit/config/cc_ssh.py +++ b/cloudinit/config/cc_ssh.py @@ -37,6 +37,10 @@ Supported public key types for the ``ssh_authorized_keys`` are: + - dsa + - rsa + - ecdsa + - ed25519 - ecdsa-sha2-nistp256-cert-v01@openssh.com - ecdsa-sha2-nistp256 - ecdsa-sha2-nistp384-cert-v01@openssh.com @@ -56,6 +60,17 @@ - ssh-xmss-cert-v01@openssh.com - ssh-xmss@openssh.com +.. note:: + this list has been filtered out from the supported keytypes of + `OpenSSH`_ source, where the sigonly keys are removed. Please see + ``ssh_util`` for more information. + + ``dsa``, ``rsa``, ``ecdsa`` and ``ed25519`` are added for legacy, + as they are valid public keys in some old distros. They can possibly + be removed in the future when support for the older distros are dropped + +.. _OpenSSH: https://github.com/openssh/openssh-portable/blob/master/sshkey.c + Host Keys ^^^^^^^^^ From 143f5cfe262f0b619f843c4bf4665c7d9844fa0b Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Thu, 16 Jul 2020 20:15:50 +0200 Subject: [PATCH 17/23] ssh_util: add some information about where to get the list and how to filter it --- cloudinit/ssh_util.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py index 3682c6d2243..9a07531f1ae 100644 --- a/cloudinit/ssh_util.py +++ b/cloudinit/ssh_util.py @@ -17,10 +17,17 @@ # See: man sshd_config DEF_SSHD_CFG = "/etc/ssh/sshd_config" -# taken from OpenSSH source openssh-8.3p1/sshkey.c: -# static const struct keytype keytypes[] = { ... } +# this list has been filtered out from keytypes of OpenSSH source +# openssh-8.3p1/sshkey.c: +# static const struct keytype keytypes[] = { +# filter out the keytypes with the sigonly flag, eg: +# { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 }, +# refer to the keytype struct of OpenSSH in the same file, to see +# if the position of the sigonly flag has been moved. +# # dsa, rsa, ecdsa and ed25519 are added for legacy, as they are valid -# public keys in some old distros +# public keys in some old distros. They can possibly be removed +# in the future when support for the older distros is dropped VALID_KEY_TYPES = ( "dsa", "rsa", From 3712844662a5b1511f7e1b7b2ff1faab227c53e9 Mon Sep 17 00:00:00 2001 From: Tsang Han Wong Date: Sat, 25 Jul 2020 12:27:06 +0800 Subject: [PATCH 18/23] Added 6 more key types in function _is_printable_key() in cc_ssh_authkey_fingerprints module --- cloudinit/config/cc_ssh_authkey_fingerprints.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/cloudinit/config/cc_ssh_authkey_fingerprints.py b/cloudinit/config/cc_ssh_authkey_fingerprints.py index 7ac1c8cfbfe..4af8ccb688b 100755 --- a/cloudinit/config/cc_ssh_authkey_fingerprints.py +++ b/cloudinit/config/cc_ssh_authkey_fingerprints.py @@ -59,8 +59,17 @@ def _gen_fingerprint(b64_text, hash_meth='sha256'): def _is_printable_key(entry): if any([entry.keytype, entry.base64, entry.comment, entry.options]): - if (entry.keytype and - entry.keytype.lower().strip() in ['ssh-dss', 'ssh-rsa']): + if (entry.keytype and entry.keytype.lower().strip() + in ['ssh-dss', + 'ssh-rsa', + 'ssh-ed25519', + 'ecdsa-sha2-nistp521', + 'ecdsa-sha2-nistp384', + 'ecdsa-sha2-nistp256', + 'sk-ssh-ed25519@openssh.com', + 'sk-ecdsa-sha2-nistp256@openssh.com']): + # key types from + # https://man.openbsd.org/sshd#AUTHORIZED_KEYS_FILE_FORMAT return True return False From 5c549e52f715b8dc061eb93d35ca5631447cbbbd Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Tue, 28 Jul 2020 15:23:31 +0200 Subject: [PATCH 19/23] cc_ssh_authkey_fingerprints: fix the `` for internal name --- cloudinit/config/cc_ssh_authkey_fingerprints.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudinit/config/cc_ssh_authkey_fingerprints.py b/cloudinit/config/cc_ssh_authkey_fingerprints.py index 4af8ccb688b..b3b7b1718fb 100755 --- a/cloudinit/config/cc_ssh_authkey_fingerprints.py +++ b/cloudinit/config/cc_ssh_authkey_fingerprints.py @@ -13,7 +13,7 @@ default, but can be disabled using ``no_ssh_fingerprints``. The hash type for the keys can be specified, but defaults to ``sha256``. -**Internal name:** `` cc_ssh_authkey_fingerprints`` +**Internal name:** ``cc_ssh_authkey_fingerprints`` **Module frequency:** per instance From f2026f72238956ced6be2783daaf5dcc160705d1 Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Tue, 28 Jul 2020 15:24:30 +0200 Subject: [PATCH 20/23] cc_ssh_authkey_fingerprints: add all the supported ssh key types. Also includes the legacy dsa, rsa, ecdsa and ed25519 --- .../config/cc_ssh_authkey_fingerprints.py | 26 ++++++++++++++----- 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/cloudinit/config/cc_ssh_authkey_fingerprints.py b/cloudinit/config/cc_ssh_authkey_fingerprints.py index b3b7b1718fb..579e19bdc87 100755 --- a/cloudinit/config/cc_ssh_authkey_fingerprints.py +++ b/cloudinit/config/cc_ssh_authkey_fingerprints.py @@ -60,14 +60,28 @@ def _gen_fingerprint(b64_text, hash_meth='sha256'): def _is_printable_key(entry): if any([entry.keytype, entry.base64, entry.comment, entry.options]): if (entry.keytype and entry.keytype.lower().strip() - in ['ssh-dss', - 'ssh-rsa', - 'ssh-ed25519', - 'ecdsa-sha2-nistp521', - 'ecdsa-sha2-nistp384', + in ['dsa', + 'rsa', + 'ecdsa', + 'ed25519', + 'ecdsa-sha2-nistp256-cert-v01@openssh.com', 'ecdsa-sha2-nistp256', + 'ecdsa-sha2-nistp384-cert-v01@openssh.com', + 'ecdsa-sha2-nistp384', + 'ecdsa-sha2-nistp521-cert-v01@openssh.com', + 'ecdsa-sha2-nistp521', + 'sk-ecdsa-sha2-nistp256-cert-v01@openssh.com', + 'sk-ecdsa-sha2-nistp256@openssh.com', + 'sk-ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com', - 'sk-ecdsa-sha2-nistp256@openssh.com']): + 'ssh-dss-cert-v01@openssh.com', + 'ssh-dss', + 'ssh-ed25519-cert-v01@openssh.com', + 'ssh-ed25519', + 'ssh-rsa-cert-v01@openssh.com', + 'ssh-rsa', + 'ssh-xmss-cert-v01@openssh.com', + 'ssh-xmss@openssh.com']): # key types from # https://man.openbsd.org/sshd#AUTHORIZED_KEYS_FILE_FORMAT return True From 9c6e558ee0232a7aab9d9fa915a96aa18aeef23d Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Tue, 28 Jul 2020 15:25:55 +0200 Subject: [PATCH 21/23] ssh_util: add a pointer to update the `_is_printable_key` list --- cloudinit/ssh_util.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py index 9a07531f1ae..c08042d6ff0 100644 --- a/cloudinit/ssh_util.py +++ b/cloudinit/ssh_util.py @@ -28,6 +28,9 @@ # dsa, rsa, ecdsa and ed25519 are added for legacy, as they are valid # public keys in some old distros. They can possibly be removed # in the future when support for the older distros is dropped +# +# When updating the list, also update the _is_printable_key list in +# cloudinit/config/cc_ssh_authkey_fingerprints.py VALID_KEY_TYPES = ( "dsa", "rsa", From 5bd5b3c138336c4943490cfe606e104421dde843 Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Tue, 28 Jul 2020 15:36:09 +0200 Subject: [PATCH 22/23] cc_ssh_authkey_fingerprints: add a pointer to update the `VALID_KEY_TYPES` when updating `_is_printable_key` --- cloudinit/config/cc_ssh_authkey_fingerprints.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cloudinit/config/cc_ssh_authkey_fingerprints.py b/cloudinit/config/cc_ssh_authkey_fingerprints.py index 579e19bdc87..68ca9d42398 100755 --- a/cloudinit/config/cc_ssh_authkey_fingerprints.py +++ b/cloudinit/config/cc_ssh_authkey_fingerprints.py @@ -57,6 +57,8 @@ def _gen_fingerprint(b64_text, hash_meth='sha256'): return '?' +# When updating the list, also update the VALID_KEY_TYPES list in +# cloudinit/ssh_util.py def _is_printable_key(entry): if any([entry.keytype, entry.base64, entry.comment, entry.options]): if (entry.keytype and entry.keytype.lower().strip() From 83faf9fabf05cfd46530b88f2e9fc2aa498ea553 Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng Date: Thu, 13 Aug 2020 20:03:49 +0200 Subject: [PATCH 23/23] cc_ssh_authkey_fingerprints: import the `VALID_KEY_TYPES` from `ssh_utl` to reduce duplicate lists --- .../config/cc_ssh_authkey_fingerprints.py | 27 +------------------ 1 file changed, 1 insertion(+), 26 deletions(-) diff --git a/cloudinit/config/cc_ssh_authkey_fingerprints.py b/cloudinit/config/cc_ssh_authkey_fingerprints.py index 68ca9d42398..05d30ad1a9c 100755 --- a/cloudinit/config/cc_ssh_authkey_fingerprints.py +++ b/cloudinit/config/cc_ssh_authkey_fingerprints.py @@ -57,35 +57,10 @@ def _gen_fingerprint(b64_text, hash_meth='sha256'): return '?' -# When updating the list, also update the VALID_KEY_TYPES list in -# cloudinit/ssh_util.py def _is_printable_key(entry): if any([entry.keytype, entry.base64, entry.comment, entry.options]): if (entry.keytype and entry.keytype.lower().strip() - in ['dsa', - 'rsa', - 'ecdsa', - 'ed25519', - 'ecdsa-sha2-nistp256-cert-v01@openssh.com', - 'ecdsa-sha2-nistp256', - 'ecdsa-sha2-nistp384-cert-v01@openssh.com', - 'ecdsa-sha2-nistp384', - 'ecdsa-sha2-nistp521-cert-v01@openssh.com', - 'ecdsa-sha2-nistp521', - 'sk-ecdsa-sha2-nistp256-cert-v01@openssh.com', - 'sk-ecdsa-sha2-nistp256@openssh.com', - 'sk-ssh-ed25519-cert-v01@openssh.com', - 'sk-ssh-ed25519@openssh.com', - 'ssh-dss-cert-v01@openssh.com', - 'ssh-dss', - 'ssh-ed25519-cert-v01@openssh.com', - 'ssh-ed25519', - 'ssh-rsa-cert-v01@openssh.com', - 'ssh-rsa', - 'ssh-xmss-cert-v01@openssh.com', - 'ssh-xmss@openssh.com']): - # key types from - # https://man.openbsd.org/sshd#AUTHORIZED_KEYS_FILE_FORMAT + in ssh_util.VALID_KEY_TYPES): return True return False