summaryrefslogtreecommitdiff
path: root/cloudinit
diff options
context:
space:
mode:
authorOle-Martin Bratteng <1681525+omBratteng@users.noreply.github.com>2020-08-21 18:23:24 +0200
committerGitHub <noreply@github.com>2020-08-21 10:23:24 -0600
commitc73ab5665469a28dec2995b2b15d3462b0a83c4b (patch)
tree6c357c5ff7678f0c366dd34a760a521355f10abc /cloudinit
parent747723a42c98fa13080ea31127e289e7b826046f (diff)
downloadvyos-cloud-init-c73ab5665469a28dec2995b2b15d3462b0a83c4b.tar.gz
vyos-cloud-init-c73ab5665469a28dec2995b2b15d3462b0a83c4b.zip
Update the list of valid ssh keys. (#487)
Update ssh_util.py with latest list of keys (from openssh-8.3p1/sshkey.c), Added keys: sk-ecdsa-sha2-nistp256-cert-v01@openssh.com sk-ecdsa-sha2-nistp256@openssh.com sk-ssh-ed25519-cert-v01@openssh.com sk-ssh-ed25519@openssh.com ssh-xmss-cert-v01@openssh.com ssh-xmss@openssh.com LP: #1877869
Diffstat (limited to 'cloudinit')
-rwxr-xr-xcloudinit/config/cc_ssh.py36
-rwxr-xr-xcloudinit/config/cc_ssh_authkey_fingerprints.py6
-rw-r--r--cloudinit/ssh_util.py40
3 files changed, 67 insertions, 15 deletions
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
index 228e5e0d..9b2a333a 100755
--- a/cloudinit/config/cc_ssh.py
+++ b/cloudinit/config/cc_ssh.py
@@ -35,6 +35,42 @@ root login is disabled, and root login opts are set to::
no-port-forwarding,no-agent-forwarding,no-X11-forwarding
+Supported public key types for the ``ssh_authorized_keys`` are:
+
+ - dsa
+ - rsa
+ - ecdsa
+ - ed25519
+ - ecdsa-sha2-nistp256-cert-v01@openssh.com
+ - ecdsa-sha2-nistp256
+ - ecdsa-sha2-nistp384-cert-v01@openssh.com
+ - ecdsa-sha2-nistp384
+ - ecdsa-sha2-nistp521-cert-v01@openssh.com
+ - ecdsa-sha2-nistp521
+ - sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
+ - sk-ecdsa-sha2-nistp256@openssh.com
+ - sk-ssh-ed25519-cert-v01@openssh.com
+ - sk-ssh-ed25519@openssh.com
+ - ssh-dss-cert-v01@openssh.com
+ - ssh-dss
+ - ssh-ed25519-cert-v01@openssh.com
+ - ssh-ed25519
+ - ssh-rsa-cert-v01@openssh.com
+ - ssh-rsa
+ - ssh-xmss-cert-v01@openssh.com
+ - ssh-xmss@openssh.com
+
+.. note::
+ this list has been filtered out from the supported keytypes of
+ `OpenSSH`_ source, where the sigonly keys are removed. Please see
+ ``ssh_util`` for more information.
+
+ ``dsa``, ``rsa``, ``ecdsa`` and ``ed25519`` are added for legacy,
+ as they are valid public keys in some old distros. They can possibly
+ be removed in the future when support for the older distros are dropped
+
+.. _OpenSSH: https://github.com/openssh/openssh-portable/blob/master/sshkey.c
+
Host Keys
^^^^^^^^^
diff --git a/cloudinit/config/cc_ssh_authkey_fingerprints.py b/cloudinit/config/cc_ssh_authkey_fingerprints.py
index 7ac1c8cf..05d30ad1 100755
--- a/cloudinit/config/cc_ssh_authkey_fingerprints.py
+++ b/cloudinit/config/cc_ssh_authkey_fingerprints.py
@@ -13,7 +13,7 @@ Write fingerprints of authorized keys for each user to log. This is enabled by
default, but can be disabled using ``no_ssh_fingerprints``. The hash type for
the keys can be specified, but defaults to ``sha256``.
-**Internal name:** `` cc_ssh_authkey_fingerprints``
+**Internal name:** ``cc_ssh_authkey_fingerprints``
**Module frequency:** per instance
@@ -59,8 +59,8 @@ def _gen_fingerprint(b64_text, hash_meth='sha256'):
def _is_printable_key(entry):
if any([entry.keytype, entry.base64, entry.comment, entry.options]):
- if (entry.keytype and
- entry.keytype.lower().strip() in ['ssh-dss', 'ssh-rsa']):
+ if (entry.keytype and entry.keytype.lower().strip()
+ in ssh_util.VALID_KEY_TYPES):
return True
return False
diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py
index 89150acf..c08042d6 100644
--- a/cloudinit/ssh_util.py
+++ b/cloudinit/ssh_util.py
@@ -17,27 +17,43 @@ LOG = logging.getLogger(__name__)
# See: man sshd_config
DEF_SSHD_CFG = "/etc/ssh/sshd_config"
-# taken from OpenSSH source openssh-7.3p1/sshkey.c:
-# static const struct keytype keytypes[] = { ... }
+# this list has been filtered out from keytypes of OpenSSH source
+# openssh-8.3p1/sshkey.c:
+# static const struct keytype keytypes[] = {
+# filter out the keytypes with the sigonly flag, eg:
+# { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 },
+# refer to the keytype struct of OpenSSH in the same file, to see
+# if the position of the sigonly flag has been moved.
+#
+# dsa, rsa, ecdsa and ed25519 are added for legacy, as they are valid
+# public keys in some old distros. They can possibly be removed
+# in the future when support for the older distros is dropped
+#
+# When updating the list, also update the _is_printable_key list in
+# cloudinit/config/cc_ssh_authkey_fingerprints.py
VALID_KEY_TYPES = (
"dsa",
+ "rsa",
"ecdsa",
- "ecdsa-sha2-nistp256",
+ "ed25519",
"ecdsa-sha2-nistp256-cert-v01@openssh.com",
- "ecdsa-sha2-nistp384",
+ "ecdsa-sha2-nistp256",
"ecdsa-sha2-nistp384-cert-v01@openssh.com",
- "ecdsa-sha2-nistp521",
+ "ecdsa-sha2-nistp384",
"ecdsa-sha2-nistp521-cert-v01@openssh.com",
- "ed25519",
- "rsa",
- "rsa-sha2-256",
- "rsa-sha2-512",
- "ssh-dss",
+ "ecdsa-sha2-nistp521",
+ "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com",
+ "sk-ecdsa-sha2-nistp256@openssh.com",
+ "sk-ssh-ed25519-cert-v01@openssh.com",
+ "sk-ssh-ed25519@openssh.com",
"ssh-dss-cert-v01@openssh.com",
- "ssh-ed25519",
+ "ssh-dss",
"ssh-ed25519-cert-v01@openssh.com",
- "ssh-rsa",
+ "ssh-ed25519",
"ssh-rsa-cert-v01@openssh.com",
+ "ssh-rsa",
+ "ssh-xmss-cert-v01@openssh.com",
+ "ssh-xmss@openssh.com",
)
_DISABLE_USER_SSH_EXIT = 142