Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net-ssh 7.1.0 - Incorrectly determines ED25519 when Private Key is RSA #914

Open
davidjkling opened this issue Jun 28, 2023 · 2 comments
Open

net-ssh 7.1.0 - Incorrectly determines ED25519 when Private Key is RSA #914

davidjkling opened this issue Jun 28, 2023 · 2 comments
Labels
bug good-first-issue

Comments

@davidjkling
Copy link

Expected behavior

Tell us what should happen

Running:

Net::SSH.start(remote_node, remote_user, auth_methods: ['publickey'], timeout: timeout, keys: ['/root/.ssh/id_rsa']) do |ssh|

It should ssh to the remote node without issue using RSA

Actual behavior

Tell us what happens instead.

Instead, it raises:

 [2023-06-27T17:11:47+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
 [2023-06-27T17:11:47+00:00] FATAL: ---------------------------------------------------------------------------------------
 [2023-06-27T17:11:47+00:00] FATAL: PLEASE PROVIDE THE CONTENTS OF THE stacktrace.out FILE (above) IF YOU FILE A BUG REPORT
 [2023-06-27T17:11:47+00:00] FATAL: ---------------------------------------------------------------------------------------
 [2023-06-27T17:11:47+00:00] FATAL: NotImplementedError: OpenSSH keys only supported if ED25519 is available
 net-ssh requires the following gems for ed25519 support:
  * ed25519 (>= 1.2, < 2.0)
  * bcrypt_pbkdf (>= 1.0, < 2.0)
 See https://github.com/net-ssh/net-ssh/issues/565 for more information
 Gem::MissingSpecError : "Could not find 'bcrypt_pbkdf' (~> 1.0) among 223 total gem(s)
 Checked in 'GEM_PATH=/home/cloud-user/.local/share/gem/ruby/3.1.0:/opt/chef/embedded/lib/ruby/gems/3.1.0' , execute `gem env` for more information"

System configuration

Oracle Linux 8.6 (Did NOT see this on Oracle 7.x)
Both of these are installed through Chef 18.2.7

  • net-ssh version 7.1.0
  • Ruby version 3.1.2
  • openssh.x86_64 8.0p1-13.el8

Example App

Please provide an example script that reproduces the problem. This will save maintainers time so they can spend it fixing your issues instead of trying to build a reproduction case from sparse instructions.

gem 'net-ssh'
require 'net/ssh'
puts Net::SSH::Version::CURRENT

host = '<actual hostname where you run this>
remote_user = 'root'
timeout = 10
stdout = ''
stderr = ''
Net::SSH.start(host, remote_user, auth_methods: ['publickey'], timeout: timeout, keys: ['/root/.ssh/id_rsa']) do |ssh|
   ssh.exec!('echo "hello"') do |_channel, stream, data|
    stdout << data if stream == :stdout
    stderr << data if stream == :stderr
  end
  return { stdout: stdout, stderr: stderr }
end

Output for me from above in IRB:

/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/net-ssh-7.1.0/lib/net/ssh/authentication/ed25519_loader.rb:19:in `raiseUnlessLoaded': OpenSSH keys only supported if ED25519 is available (NotImplementedError)
net-ssh requires the following gems for ed25519 support:
 * ed25519 (>= 1.2, < 2.0)
 * bcrypt_pbkdf (>= 1.0, < 2.0)

Believe the issue stems from how key_factory checks for ED25519.

Creating the keys on a Oracle Linux 8 node to be RSA, still sets the header to OPENSSH:

# ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsa
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:8SPOX7+fOuIsyceSxFFbH5pk3w+BYKh8qzs43IwqnXg root@<redacted>
The key's randomart image is:
+---[RSA 3072]----+
|         .o. .   |
|        .. ..+.. |
|     . .. . = =.o|
|      o .+ . o.o.|
|       .S.+    ..|
|       o.+ .    .|
| o o = .= + .    |
|o E = =  B.= o  .|
| o.. ..o  *o..=+.|
+----[SHA256]-----+
root@<redacted>:~/.ssh
14:47:35 # cat id_rsa | head -1
-----BEGIN OPENSSH PRIVATE KEY-----

But actually checking the key, it is RSA:

root@<redacted>:~/.ssh
14:47:49 # ssh-keygen -l -f id_rsa
3072 SHA256:8SPOX7+fOuIsyceSxFFbH5pk3w+BYKh8qzs43IwqnXg root@<redacted> (RSA)

Then actually creating a ed25519 key also sets the header to OPENSSH:

# ssh-keygen -t ed25519 -N "" -f /root/.ssh/id_rsa
Generating public/private ed25519 key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:FQm6++M1eYvTWNpogNhJSbRSO6gT8MuhLMPlvq6jips root@<redacted>
The key's randomart image is:
+--[ED25519 256]--+
|.    .o ....     |
| o   o.+  ..     |
|  +.o.=.  .      |
|ooo= .oo .       |
|+o=. +.oS        |
|..... +..  ..    |
|   .  .  .+B.    |
|.o  .  ...*+o.   |
|Eo+o   .oo...    |
+----[SHA256]-----+
root@<redacted>:~/.ssh
14:49:05 # cat id_rsa | head -1
-----BEGIN OPENSSH PRIVATE KEY-----

And checking the key, it is ED25519:

root@<redacted>:~/.ssh
14:49:09 # ssh-keygen -l -f id_rsa
256 SHA256:FQm6++M1eYvTWNpogNhJSbRSO6gT8MuhLMPlvq6jips root@<redacted> (ED25519)

Think this can be resolved with just checking the ssh-keygen -l -f <file> output for the auth type and not just reading the id_rsa file.
@mfazekas
Copy link
Collaborator

@davidjkling I guess you're right here, not all OpenSSH Private key needs Ed25519. We should move OpenSSHPrivateKeyLoader out of ED25519

@davidjkling
Copy link
Author

davidjkling commented Jun 28, 2023
edited

Looks like this was updated in openssh 7.8

Which is why I see it on Oracle Linux 8 using OpenSSH_8.0p1 where as our Oracle Linux 7 nodes use OpenSSH_7.4p1

And where when we add in -m PEM to command (as a workaround) creates the header with RSA and not OPENSSH

ssh-keygen -t rsa -N "" -m PEM -f /root/.ssh/id_rsa

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug good-first-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mfazekas @davidjkling