New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump x/crypto to 20220518 and remove custom algorithm signer #12674
Conversation
0d129e4
to
602b9fc
Compare
After a couple of tests, I got the following matrix
The good news is that, it looks like we didn't break anything with the lib bump From OpenSSH 8.8+, it works if we explicitly add the older algorithm |
eb36bfa
to
3f711f5
Compare
3f711f5
to
e479eb5
Compare
e479eb5
to
5e0e2e2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes here all seem reasonable to me. Just a couple questions around the OpenSSH 8.9 incompatibility:
- Do we have an open issue regarding OpenSSH 8.9 clients not functioning without the workaround?
- Is the workaround documented anywhere else but here?
We have one issue here, with the workaround Do you think we should add it? |
Maybe just add a comment to that issue with the workaround? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@marcoandredinis Thank you for pushing this through, great job!
One question I have is regarding backwards compatibility. Since we've removed the "alg signers" workaround, will clusters that set ca_signature_algo
configuration field be impacted in any way?
This commit upgrades the version of x/crypto we use, to the current latest `go get -u golang.org/x/crypto` We also replaced the deprecated variables and updated the tests to match the current default KEX Algos
The x/crypto didn't support RSA-SHA2 algos, so we developed our own algorithm signer. This is no longer the case, and after upgrading x/crypto to 20220513 we can safely remove the custom code we have.
5e0e2e2
to
e0b384b
Compare
They should not be impacted
In between each step, I connected with the OpenSSH client successfully. I'm pretty confident we can remove that property Removing the configuration option in this PR will delay the version bump which is more important, so I don't think we should do it know. |
After the merge of #12674 we no longer use the following configuration: ```yaml teleport: ca_signature_algo: "rsa-sha2-512" ``` As we now rely upon the `x/crypto` package to choose the signing algorithm (it defaults to `rsa-sha2-512`) **Demo** If we set `ca_signature_algo` (the value is irrelevant) and start `teleport` we get: ```shell root@marco:/workspace# teleport start --debug 2022-06-02T09:33:58Z WARN ca_signing_algo config option is deprecated and will be ignored, we'll always default to rsa-sha2-512. config/configuration.go:348 2022-06-02T09:33:58Z INFO Generating new host UUID: b001159a-10e0-49a7-b4dc-61c73fbe9e42. service/service.go:726 ... ``` Fixes #12905
This commit upgrades the version of x/crypto we use, to the current latest
go get -u golang.org/x/crypto
We also replaced the deprecated variables and updated the tests to match the
current default KEX Algos
The x/crypto didn't support RSA-SHA2 algos, so we developed our own algorithm
signer. This is no longer the case, and after upgrading x/crypto to 20220518 we
can safely remove the custom code we have.
TODO (from #11178 (comment))
ca_signature_algo
tossh-rsa
and make sure that:PubkeyAcceptedKeyTypes
workaround mentioned above.ca_signature_algo
torsa-sha2-512
and make sure that: