Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Second puppet run with ed25519-sk fails. #4

Open
snake3lake opened this issue Mar 12, 2024 · 13 comments
Open

Second puppet run with ed25519-sk fails. #4

snake3lake opened this issue Mar 12, 2024 · 13 comments
Labels
bug Something isn't working

Comments

@snake3lake
Copy link

snake3lake commented Mar 12, 2024
edited by deric

Code:

pubkey::ssh { 'johndoe_ed25519-sk': }

First run:

Notice: /Stage[main]/My::Ssh/Pubkey::Ssh[johndoe_ed25519-sk]/File_line[johndoe:/home/johndoe/.ssh/id_ed25519_sk.pub]/ensure: created

$ sudo facter --puppet -y pubkey
pubkey:
  johndoe:
    comment: johndoe_ed25519-sk
    key: "AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICEKi4Ktz2JSOkybQVL/ET5w01qX2danMsGBae0ONVxXAAAABHNzaDo="
    options: sk-
    type: "ssh-ed25519@openssh.com"

Second run:

Error: Failed to apply catalog: Parameter type failed on Ssh_authorized_key[johndoe_ed25519-sk@thor.home]: Invalid value "ssh-ed25519@openssh.com". Valid values are ssh-dss, ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519, sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com, ssh-rsa-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-dss-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com. (file: /etc/puppetlabs/code/environments/production/modules/pubkey/manifests/ssh.pp, line: 101)

$ sudo facter --puppet -y pubkey                                                                                                                                   
pubkey:                                                                                                                                                                                
  marcel:                                                                                                                                                                              
    comment: jondoe_ed25519-sk                                                                                                                                                         
    key: "AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICEKi4Ktz2JSOkybQVL/ET5w01qX2danMsGBae0ONVxXAAAABHNzaDo="                                                                        
    options: sk-                                                                                                                                                                       
    type: "ssh-ed25519@openssh.com"
@deric deric added the bug Something isn't working label Mar 12, 2024
@deric
Copy link
Owner

deric commented Mar 12, 2024

Hmm, interesting. Looks like we need to concat the options field sk- with ssh-ed25519@openssh.com to get a valid type.

deric added a commit that referenced this issue Mar 12, 2024
@deric
Add specs for sk keys (#4)
11818d1
deric added a commit that referenced this issue Mar 12, 2024
@deric
Add specs for sk keys (#4)
5a5ad68
deric added a commit that referenced this issue Mar 12, 2024
@deric
Add specs for sk keys (#4)
08aaede
deric added a commit that referenced this issue Mar 12, 2024
@deric
Add specs for sk keys (#4)
876a06e
deric added a commit that referenced this issue Mar 12, 2024
@deric
Provide correct type when ssh key options are defined (#4) (#5)
bd8447a 
Include options as type prefix
@deric
Copy link
Owner

deric commented Mar 12, 2024

Should be fixed in v0.8.1.

@deric
Copy link
Owner

deric commented Mar 12, 2024

Sorry, please try the latest version v0.8.3.

@snake3lake
Copy link
Author

snake3lake commented Mar 13, 2024
edited

Code:

pubkey::ssh { 'marcel_ed25519': }
pubkey::ssh { 'marcel_ed25519-sk': }

Generating one key on it own now works. Generating 2 keys with different types still generates the "Could not evaluate: Field 'type' is required " error.

@deric
Copy link
Owner

deric commented Mar 13, 2024

@snake3lake could you post the whole stacktrace?

@snake3lake
Copy link
Author

snake3lake commented Mar 13, 2024
edited by deric 

Removed authorized_keys, keys and /var/cache/pubkey/export_keys. Looks like it's picking exported keys from the server. First run on first host only:
Notice: /Stage[main]/My::Ssh/Ssh_authorized_key[marcel_ed25519@wodan.wodan.home]/ensure: created (corrective)
Error: /Stage[main]/My::Ssh/Ssh_authorized_key[marcel_ed25519@wodan.wodan.home]: Could not evaluate: Field 'type' is required
Notice: /Stage[main]/My::Ssh/Ssh_authorized_key[marcel_ed25519-sk@wodan.wodan.home]/ensure: created (corrective)
Error: /Stage[main]/My::Ssh/Ssh_authorized_key[marcel_ed25519-sk@wodan.wodan.home]: Could not evaluate: Field 'type' is required
Notice: /Stage[main]/My::Ssh/Ssh_authorized_key[marcel_ed25519@donar.home]/ensure: created (corrective)
Error: /Stage[main]/My::Ssh/Ssh_authorized_key[marcel_ed25519@donar.home]: Could not evaluate: Field 'type' is required
Notice: /Stage[main]/Pubkey/File[/var/cache/pubkey/exported_keys]/ensure: created (corrective)
Notice: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519]/File_line[marcel:/home/marcel/.ssh/id_ed25519.pub]/ensure: created (corrective)
Notice: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519-sk]/File_line[marcel:/home/marcel/.ssh/id_13654666_ed25519_sk.pub]/ensure: created (corrective)
Notice: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519]/Pubkey::Keygen[keygen-marcel_ed25519]/Exec[pubkey-ssh-keygen-marcel_ed25519]/returns: executed successfully (corrective)
Notice: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519-sk]/Pubkey::Keygen[keygen-marcel_ed25519-sk]/Exec[pubkey-ssh-keygen-marcel_ed25519-sk]/returns: executed successfully (corrective)

deric added a commit that referenced this issue Mar 13, 2024
@deric
Include autodetect specs (#4)
9bb972d
@deric
Copy link
Owner

deric commented Mar 13, 2024

The "autodetect" feature simply splits the title marcel_ed25519-sk@wodan.wodan.home by _ (separator param):

  • marcel
  • ed25519-sk@wodan.wodan.home (not a valid type)

Try using

pubkey::ssh { 'marcel_ed25519-sk@wodan.wodan.home': 
  type => 'ed25519-sk',
}

@snake3lake
Copy link
Author

snake3lake commented Mar 14, 2024
edited by deric

That didn't help:

pubkey::ssh { 'marcel_ed25519':
    type => 'ed25519',
    tags => ['tag_users'],
  }

  if $facts['networking']['hostname'] != 'puppet' {
    pubkey::ssh { 'marcel_ed25519-sk':
      type => 'ed25519-sk',
      tags => ['tag_users'],
    }
  }

  Ssh_authorized_key <<| tag == 'tag_users' |>>`
Notice: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519]/Ssh_authorized_key[marcel_ed25519@wodan.home]/ensure: created (corrective)                                                                                     
Error: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519]/Ssh_authorized_key[marcel_ed25519@wodan.home]: Could not evaluate: Field 'type' is required                                                                     
Notice: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519-sk]/Ssh_authorized_key[marcel_ed25519-sk@wodan.home]/ensure: created (corrective)                                                                               
Error: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519-sk]/Ssh_authorized_key[marcel_ed25519-sk@wodan.home]: Could not evaluate: Field 'type' is required                                                               
Notice: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519-sk]/Pubkey::Keygen[keygen-marcel_ed25519-sk]/Exec[pubkey-ssh-keygen-marcel_ed25519-sk]/returns: Key enrollment failed: device not found                         
Error: 'ssh-keygen -t ed25519-sk -q -N '' -C 'marcel_ed25519-sk' -f /home/marcel/.ssh/id_ed25519_sk' returned 255 instead of one of [0]                                                                                 
Error: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519-sk]/Pubkey::Keygen[keygen-marcel_ed25519-sk]/Exec[pubkey-ssh-keygen-marcel_ed25519-sk]/returns: change from 'notrun' to ['0'] failed: 'ssh-keygen -t ed25519-sk -q -N '' -C 'marcel_ed25519-sk' -f /home/marcel/.ssh/id_ed25519_sk' returned 255 instead of one of [0] (corrective)

@deric
Copy link
Owner

deric commented Mar 14, 2024

The error message Key enrollment failed: device not found means that the security key wasn't detected at your system, thus the keygen can't generate a valid ssh key. You can verify that simply by running the command above:

ssh-keygen -t ed25519-sk -q -N '' -C 'marcel_ed25519-sk' -f /home/marcel/.ssh/id_ed25519_sk

What is the output of following command:

facter -y --puppet pubkey

@snake3lake
Copy link
Author

snake3lake commented Mar 14, 2024
edited by deric

You are right about the security key. Sorry about the confusion. Please disregard messages about it.

Notice: /Stage[main]/Pubkey/File[/var/cache/pubkey/exported_keys]/ensure: created
Notice: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519]/File_line[marcel:/home/marcel/.ssh/id_ed25519.pub]/ensure: created
Notice: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519-sk]/File_line[marcel:/home/marcel/.ssh/id_ed25519_sk.pub]/ensure: created
Notice: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519]/Pubkey::Keygen[keygen-marcel_ed25519]/Exec[pubkey-ssh-keygen-marcel_ed25519]/returns: executed successfully
Notice: /Stage[main]/My::Ssh/Pubkey::Ssh[marcel_ed25519-sk]/Pubkey::Keygen[keygen-marcel_ed25519-sk]/Exec[pubkey-ssh-keygen-marcel_ed25519-sk]/returns: executed successfully

pubkey:

  marcel:
    comment: marcel_ed25519-sk
    key: "AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGgW3IPS7MrL1t8Bta0cZFzvqR8pZMoyuqIVAEXWwb9fAAAABHNzaDo="
    type: "sk-ssh-ed25519@openssh.com"

deric added a commit that referenced this issue Mar 14, 2024
@deric
Require sshkeys_core with new key types added in openssh 8.2 (#4)
bbf52fa 
puppetlabs/puppetlabs-sshkeys_core@210f2e1
@deric
Copy link
Owner

deric commented Mar 14, 2024

Which version of puppetlabs/sshkeys_core do you use?

The support for ed25519-sk (sk-ssh-ed25519@openssh.com) was added in version 2.1.0

puppetlabs/puppetlabs-sshkeys_core@210f2e1

@snake3lake
Copy link
Author

puppetlabs-sshkeys_core (v2.5.0) The latest.

@deric
Copy link
Owner

deric commented Mar 15, 2024

You can try the latest version v0.9.0.

Basically your use-case is covered here, it the key is loaded in facter, it should be exported. In case the exported key is invalid, it will be skipped.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@deric @snake3lake