New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Only support long RSA and ed25519 ssh keys #3044

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
3 participants
@justincormack
Collaborator

justincormack commented May 18, 2018

  1. Support ed25519 ssh keys in example
  2. Only generate ed25519 and 4096 bit RSA keys for sshd by default

dsa and ecdsa and short RSA keys are not recommended. You should
probably just switch to ed25519.

This only affects installs if you do not add your own keys.

Also, print the key art to the logs...

Signed-off-by: Justin Cormack justin.cormack@docker.com

hippo-milk-pink-orig

Only support long RSA and ed25519 ssh keys
1. Support ed25519 ssh keys in example
2. Only generate ed25519 and 4096 bit RSA keys for sshd by default

dsa and ecdsa and short RSA keys are not recommended. You should
probably just switch to ed25519.

This only affects installs if you do not add your own keys.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
@@ -28,6 +28,10 @@ files:
source: ~/.ssh/id_rsa.pub
mode: "0600"
optional: true
- path: root/.ssh/authorized_keys

This comment has been minimized.

@ijc

ijc May 21, 2018

Collaborator

Does having two entries with identical path really DTRT in all possible combinations of source being available?

Perhaps we should have a special entry (akin to the metadata key) which specifies a list of public keys to harvest and construct an authorized_keys from? e.g. authorized_keys: ["rsa", "ed25519"] (or full paths, etc)

This comment has been minimized.

@justincormack

justincormack May 21, 2018

Collaborator

It always does an acceptable thing - if you have neither, does nothing, if you have one, uses that, if you have both, uses ed25519. It is only intended to be a demo, I don't think it makes sense to make special case support for it. It is not really suitable for production use, where you would probably want to use a CA or supply an authorized keys file directly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment