-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add method to use ed25519 ssh key #104
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks great just one nitpick
f2aeab3
to
35301f6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
35301f6
to
7909dd5
Compare
I had to re-work some of this PR; my initial testing wasn't sufficient. The only problem is, openssh creation / marshaling isn't supported upstream directly, so the package I'm using is 3rd party. |
bc0e62f
to
f9ff225
Compare
cmd/create.go
Outdated
"sync" | ||
|
||
"github.com/mikesmitty/edkey" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This mod hasn't been up modified in 6 years. I think it would be better to copy over the code so we can at least maintain it. Will refer to Jake though on what he thinks is best.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even though the code is MIT we should never copy code wholesale without attribution. Also, we should prefer forking if a repo isn't properly maintained, and only if we plan to modify it in some way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good Jake understood. Well in this instance the repo doesn't have a go.mod file, it's causing failures in the validate checks for the PR. Do you recommend forking and adding a go.mod for our purposes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did a little digging, according to the docs x509.MarshalPKCS8PrivateKey
should work: https://cs.opensource.google/go/go/+/go1.20.5:src/crypto/x509/pkcs8.go;l=101
MarshalPKCS8PrivateKey converts a private key to PKCS #8, ASN.1 DER form.
The following key types are currently supported: *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey (not a pointer), and *ecdh.PrivateKey. Unsupported key types result in an error.
This way we can use the go standard library and not have an external dependency at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@slickwarren Circling back on this, were you able to test the above method?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried that at the time of original testing, but it was not working as expected for me. I can try this again after the upcoming release to make sure I didn't miss anything. But I worked at it for awhile before finding this alternative.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
okay, it appears that this works if you cast the key to its expected type before sending to PKCS8, tested and working with both ed25519 and rsa keys now without the custom code
f9ff225
to
7bfdea6
Compare
7bfdea6
to
c2783e2
Compare
cmd/create.go
Outdated
var privDER []byte | ||
var err error | ||
if strings.Contains(blockType, "OPENSSH") { | ||
// Necessary to cast type in order to correctly marshal the key for OpenSSH | ||
privDER, _ = x509.MarshalPKCS8PrivateKey(key.(ed25519.PrivateKey)) | ||
} else if strings.Contains(blockType, "RSA") { | ||
privDER = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey)) | ||
} else { | ||
privDER, err = x509.MarshalPKCS8PrivateKey(key) | ||
} | ||
|
||
if err != nil { | ||
logrus.Fatal("failed to marshal PKCS8 private key: ", err) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
var privDER []byte | |
var err error | |
if strings.Contains(blockType, "OPENSSH") { | |
// Necessary to cast type in order to correctly marshal the key for OpenSSH | |
privDER, _ = x509.MarshalPKCS8PrivateKey(key.(ed25519.PrivateKey)) | |
} else if strings.Contains(blockType, "RSA") { | |
privDER = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey)) | |
} else { | |
privDER, err = x509.MarshalPKCS8PrivateKey(key) | |
} | |
if err != nil { | |
logrus.Fatal("failed to marshal PKCS8 private key: ", err) | |
} | |
var privBytes []byte | |
var err error | |
if strings.Contains(blockType, "OPENSSH") { | |
// Necessary to cast type in order to correctly marshal the key for OpenSSH | |
privBytes, err = x509.MarshalPKCS8PrivateKey(key.(ed25519.PrivateKey)) | |
if err != nil { | |
logrus.Fatalf("failed to marshal PKCS8 private key: %v", err) | |
} | |
} else if strings.Contains(blockType, "RSA") { | |
privBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey)) | |
} else { // is this block expected? or should it fatal | |
privBytes, err = x509.MarshalPKCS8PrivateKey(key) | |
if err != nil { | |
logrus.Fatalf("failed to marshal PKCS8 private key: %v", err) | |
} | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe we should leave it in, in case someone wants to use some other key type? Otherwise I can rip this out and just fatal.
cmd/create.go
Outdated
pubkey, _ := generatePublicKey(&privkey.PublicKey) | ||
corr.PrivateKey = string(encodePrivateKeyToPEM(privkey)) | ||
corr.PublicKey = string(pubkey) | ||
if corr.Vars["corral_ssh_key_type"] == ED25519_KEY_TYPE { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should probably check these errors as well, even if we weren't before
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
addressed
c2783e2
to
634c205
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
cmd/create.go
Outdated
@@ -35,6 +37,7 @@ corral create k3s ghcr.io/rancher/k3s | |||
corral create k3s-ha -v controlplane_count=3 ghcr.io/rancher/k3s | |||
corral create k3s-custom /home/rancher/issue-1234 | |||
` | |||
const ED25519_KEY_TYPE = "ed25519" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const ED25519_KEY_TYPE = "ed25519" | |
const ed25519KeyType = "ed25519" |
Once that's fixed feel free to merge
634c205
to
ec69e75
Compare
ec69e75
to
e6cc016
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good
addresses: #96
tested locally using ubuntu 20.04, and am able to create + login using an ed25519 key instead of rsa by having the user set
coral_ssh_key_type