CentOS does not support ed25519; fixes #98

[alxwr]

• split map.jinja according to template-formula
• Made host key algos configurable; dropped DSA
• CentOS does not support ed25519; fixes CentOS 6: check_cmd broken/unsupported key type ed25519 #98

After refactoring map.jinja it should now be easy to exclude certain host key algorithms for older systems.

If this PR is accepted and merged, I plan on implementing an opt-out (use_check_cmd: False) to solve #147.

Tested on Ubuntu 18.04 and FreeBSD 11.2, but I don't have a CentOS 6 here. (Should work though.)

@hudecof @kadogo Could you please test this PR?

[hudecof]

@alxwr unfortunate I gave up saltstack and returned to ansible, so my dev environment do not exists any more ;(

[myii]

Have performed some basic testing limited to the YAML files and map.jinja refactoring. Tested on an Ubuntu minion with pillar.example. Comparing before and after this PR gives:

--- master
+++ alxwr:issue-98
@@ -72,6 +72,7 @@
   "generate_ed25519_keys": false,
   "generate_rsa_keys": false,
   "generate_rsa_size": 4096,
+  "host_key_algos": "ecdsa,ed25519,rsa",
   "known_hosts": {
     "aliases": [
       "cname-to-minion.example.org",
@@ -129,6 +130,55 @@
   "sshd_config_src": "salt://openssh/files/sshd_config",
   "sshd_config_user": "root",
   "sshd_enable": true
 }
+{
+  "Hosts": {
+    "*": {
+      "AddressFamily": "any",
+      "BatchMode": "yes",
+      "CheckHostIP": "yes",
+      "Cipher": "3des",
+      "Ciphers": [
+        "chacha20-poly1305@openssh.com",
+        "aes256-gcm@openssh.com",
+        "aes128-gcm@openssh.com",
+        "aes256-ctr",
+        "aes192-ctr",
+        "aes128-ctr"
+      ],
+      "ConnectTimeout": 0,
+      "ForwardAgent": false,
+      "ForwardX11": false,
+      "GSSAPIAuthentication": false,
+      "GSSAPIDelegateCredentials": false,
+      "HostbasedAuthentication": false,
+      "IdentityFile": "~/.ssh/id_rsa",
+      "KexAlgorithms": [
+        "curve25519-sha256@libssh.org",
+        "diffie-hellman-group-exchange-sha256",
+        "diffie-hellman-group-exchange-sha1",
+        "diffie-hellman-group14-sha1"
+      ],
+      "MACs": [
+        "hmac-sha2-512-etm@openssh.com",
+        "hmac-sha2-256-etm@openssh.com",
+        "umac-128-etm@openssh.com",
+        "hmac-sha2-512",
+        "hmac-sha2-256",
+        "umac-128@openssh.com"
+      ],
+      "PasswordAuthentication": true,
+      "PermitLocalCommand": "no",
+      "Port": 22,
+      "Protocol": 2,
+      "RSAAuthentication": true,
+      "RhostsRSAAuthentication": false,
+      "StrictHostKeyChecking": false,
+      "Tunnel": "no",
+      "TunnelDevice": "any:any",
+      "VisualHostKey": "no"
+    }
+  }
+}
 {
   "AcceptEnv": "LANG LC_*",

Looking at the additions, these are both expected due to:

1. host_key_algos added to defaults.yaml.
2. ssh_config also being exported from map.jinja.

So no regressions detected for this part of the refactoring, according to this limited testing at least.

Good work, @alxwr!

[alxwr]

I may have found a bug when using salt-ssh. defaults.merge does not seem to work.

[myii]

@alxwr @aboe76 @LloydArmstrong It looks like saltstack-formulas/redis-formula#75 really is a problem again re: salt-ssh vs. defaults.merge. Is this a bug upstream?

[alxwr]

@aboe76 @myii @javierbertoli This PR now works with both salt and salt-ssh.

[myii]

@alxwr Would you be able to confirm that defaults.merge is not available, like in this comment here:

• vm.overcommit_memory is in incorrect block in pillar redis-formula#75 (comment)

[alxwr]

@alxwr Would you be able to confirm that defaults.merge is not available, like in this comment here:

• saltstack-formulas/redis-formula#75 (comment)

Yes. I got the same message in my debug log:

[DEBUG   ] Could not LazyLoad defaults.merge: 'defaults.merge' is not available.

[myii]

@alxwr Upstream bug report: saltstack/salt#51605.

[alxwr]

@myii Thanks!

[alxwr]

@myii I'm running salt-ssh from a FreeBSD machine against a Debians minion.

% salt --versions-report
Salt Version:
           Salt: 2018.3.3
 
Dependency Versions:
           cffi: 1.11.5
       cherrypy: Not Installed
       dateutil: Not Installed
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.10
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: 0.31.0
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: 1.2.5
      pycparser: 2.18
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.15 (default, Dec 27 2018, 00:23:42)
   python-gnupg: Not Installed
         PyYAML: 3.13
          PyZMQ: 17.1.2
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.2.3
 
System Versions:
           dist:   
         locale: UTF-8
        machine: amd64
        release: 11.2-RELEASE-p8
         system: FreeBSD
        version: Not Installed

[myii]

@alxwr Thanks, I've updated the upstream report.

I've also run the same test again for map.jinja and everything is still merging the with the same expected diff as above.

[aboe76]

Tested on my setup and I see no issues.

[aboe76]

@javierbertoli ping

[aboe76]

@alxwr I like this map.jinja style it looks like a merger between new and old style...

[alxwr]

@alxwr I like this map.jinja style it looks like a merger between new and old style...

Well, it actually is. 😄 Trying to take the best of both worlds.

[javierbertoli]

It LGTM. Really nice work, @alxwr !

[myii]

Merged. Thanks for the PR, @alxwr. And to @aboe76 and @javierbertoli for the reviews.