Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Allow SSH authentication with RSA keys #387

Merged
merged 2 commits into from
Dec 1, 2022
Merged

feat: Allow SSH authentication with RSA keys #387

merged 2 commits into from
Dec 1, 2022

Conversation

dhoppe
Copy link
Contributor

@dhoppe dhoppe commented Nov 29, 2022
edited by tenthirtyam

Summary of Pull Request

Adds HostKeyAlgorithms=+ssh-rsa and PubkeyAcceptedKeyTypes=+ssh-rsa as extra arguments for Ansible.

This will set these parameters automatically instead of assuming that the user has read the current documented requirements.

Type of Pull Request

  • This is a bugfix. type/bug
  • This is an enhancement or feature. type/feature or type/enhancement
  • This is a documentation update. type/docs
  • This is a refactoring update. type/refactor
  • This is a chore. type/chore
  • This is something else.
    Please describe:

Related to Existing Issues

Issue Number: N/A

Test and Documentation Coverage

  • Tests have been completed.
  • Documentation has been added or updated.

I have tested this for Debian 11 and Ubuntu Server 22.04 LTS. VMware Photon OS 4 did not get pass the boot loader.

Breaking Changes?

  • Yes, there are breaking changes.
  • No, there are no breaking changes.

@dhoppe dhoppe requested a review from a team as a code owner November 29, 2022 14:30
tenthirtyam
tenthirtyam reviewed Nov 29, 2022
View reviewed changes
Copy link
Contributor

@tenthirtyam tenthirtyam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this change adequacy address each Linux distribution?

@tenthirtyam tenthirtyam added the type/feature Feature label Nov 29, 2022
@tenthirtyam tenthirtyam added this to the .Next milestone Nov 29, 2022
@tenthirtyam tenthirtyam changed the title feat: Allow SSH authentication with RSA keys if necessary feat: allow SSH authentication with RSA keys Nov 29, 2022
@tenthirtyam tenthirtyam added status/awaitng-response Awaiting Response size/s Small labels Nov 29, 2022
@dhoppe
Copy link
Contributor Author

dhoppe commented Nov 29, 2022

Does this change adequacy address each Linux distribution?

I need to do some testing. I think this is related to the OpenSSH version of the client. For example I have installed OpenSSH 9.1 at macOS, because I use a YubiKey for SSH via GPG.

@dhoppe
Copy link
Contributor Author

dhoppe commented Nov 29, 2022

Could someone please check if this is still working with OpenSSH 8.x and on Windows?

@dhoppe dhoppe changed the title feat: allow SSH authentication with RSA keys feat: Allow SSH authentication with RSA keys Nov 29, 2022
@tenthirtyam
Copy link
Contributor

Could someone please check if this is still working with OpenSSH 8.x and on Windows?

I’m not too worried about Windows as the Packer host since the project hasn’t tested with it in the past; however, that said I’m certainly willing to include coverage based on Windows 11 22H2.

@dhoppe
Copy link
Contributor Author

dhoppe commented Nov 30, 2022
edited

I just did an downgrade of OpenSSH and build an image for Ubuntu Server 22.04 LTS. Everything is working as expected.

dhoppe in packer-examples-for-vsphere at imac on  build_version [$!?] via vmware took 9m 13s
➜ ssh -V
OpenSSH_8.9p1, OpenSSL 1.1.1s  1 Nov 2022

dhoppe in packer-examples-for-vsphere at imac on  build_version [$!?]
➜ git status
On branch build_version
Your branch is up to date with 'origin/build_version'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
	modified:   ansible/ansible.cfg

Untracked files:
  (use "git add <file>..." to include in what will be committed)
	.envrc

no changes added to commit (use "git add" and/or "git commit -a")

dhoppe in packer-examples-for-vsphere at imac on  build_version [$!?]
➜ git diff
diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
index 955ce7a..9802c10 100644
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -1,3 +1,8 @@
 [defaults]
 display_skipped_hosts = false
 ansible_python_interpreter = /usr/bin/python3
+
+[ssh_connection]
+scp_if_ssh = true
+scp_extra_args = -O
+ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa

CONFIRM: Build a Ubuntu Server 22.04 LTS (cloud-init) Template for VMware vSphere?

Continue? (y/n)
y
Building a Ubuntu Server 22.04 LTS (cloud-init) Template for VMware vSphere...
Initializing HashiCorp Packer and required plugins...
Starting the build....
vsphere-iso.linux-ubuntu: output will be in this color.

==> vsphere-iso.linux-ubuntu: Publishing build details for vsphere-iso.linux-ubuntu to the HCP Packer registry
==> vsphere-iso.linux-ubuntu: Creating VM...
==> vsphere-iso.linux-ubuntu: Customizing hardware...
==> vsphere-iso.linux-ubuntu: Adding SATA controller...
==> vsphere-iso.linux-ubuntu: Mounting ISO images...
==> vsphere-iso.linux-ubuntu: Adding configuration parameters...
==> vsphere-iso.linux-ubuntu: Starting HTTP server on port 8053
==> vsphere-iso.linux-ubuntu: Set boot order...
==> vsphere-iso.linux-ubuntu: Power on VM...
==> vsphere-iso.linux-ubuntu: Waiting 5s for boot...
==> vsphere-iso.linux-ubuntu: HTTP server is working at http://10.0.30.10:8053/
==> vsphere-iso.linux-ubuntu: Typing boot command...
==> vsphere-iso.linux-ubuntu: Waiting for IP...
==> vsphere-iso.linux-ubuntu: IP address: 10.0.30.155
==> vsphere-iso.linux-ubuntu: Using SSH communicator to connect: 10.0.30.155
==> vsphere-iso.linux-ubuntu: Waiting for SSH to become available...
==> vsphere-iso.linux-ubuntu: Connected to SSH!
==> vsphere-iso.linux-ubuntu: Provisioning with Ansible...
    vsphere-iso.linux-ubuntu: Setting up proxy adapter for Ansible....
==> vsphere-iso.linux-ubuntu: Executing Ansible: <sensitive>-playbook -e packer_build_name="linux-ubuntu" -e packer_builder_type=vsphere-iso -e packer_http_addr=10.0.30.10:8053 --ssh-extra-args '-o IdentitiesOnly=yes' --extra-vars display_skipped_hosts=false --extra-vars BUILD_USERNAME=<sensitive> --extra-vars BUILD_SECRET=***** --extra-vars ANSIBLE_USERNAME=<sensitive> --extra-vars ANSIBLE_SECRET=***** -e <sensitive>_ssh_private_key_file=/var/folders/tn/mrc12tzn5td09f0kccnjc4gm0000gn/T/<sensitive>-key2814763683 -i /var/folders/tn/mrc12tzn5td09f0kccnjc4gm0000gn/T/packer-provisioner-<sensitive>458611944 /Users/<sensitive>/Dropbox/Code/packer/packer-examples-for-vsphere/<sensitive>/main.yml
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: PLAY [all] *********************************************************************
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [Gathering Facts] *********************************************************
    vsphere-iso.linux-ubuntu: ok: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [base : Prepare the Ubuntu guest operating system.] ***********************
    vsphere-iso.linux-ubuntu: included: /Users/<sensitive>/Dropbox/Code/packer/packer-examples-for-vsphere/<sensitive>/roles/base/tasks/ubuntu.yml for default
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [base : Updating the guest operating system.] *****************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [base : Installing additional packages.] **********************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [users : Configure users on Ubuntu guest operating system.] ***************
    vsphere-iso.linux-ubuntu: included: /Users/<sensitive>/Dropbox/Code/packer/packer-examples-for-vsphere/<sensitive>/roles/users/tasks/linux.yml for default
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [users : Adding authorized_keys for the default local user.] **************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [users : Adding the default local user to passwordless sudoers.] **********
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [users : Creating a local user for Ansible.] ******************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [users : Adding authorized_keys to the local user for Ansible.] ***********
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [users : Adding the local user for Ansible to passwordless sudoers.] ******
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Configure the Ubuntu guest operating system.] ****************
    vsphere-iso.linux-ubuntu: included: /Users/<sensitive>/Dropbox/Code/packer/packer-examples-for-vsphere/<sensitive>/roles/configure/tasks/ubuntu.yml for default
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Configure SSH for Public Key Authentication.] ****************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Setting hostname to localhost.] ******************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Restarting the SSH daemon.] **********************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Disabling and clean tmp.] ************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Preparing cloud-init.] ***************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Modifying GRUB.] *********************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Setting SSH keys to regenerate on reboot, if neccessary.] ****
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Clean the Ubuntu guest operating system.] ************************
    vsphere-iso.linux-ubuntu: included: /Users/<sensitive>/Dropbox/Code/packer/packer-examples-for-vsphere/<sensitive>/roles/clean/tasks/ubuntu.yml for default
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Cleaning all audit logs.] ****************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Cleaning persistent udev rules.] *********************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Cleaning the /tmp directories] ***********************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Cleaning the SSH host keys.] *************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Cleaning the machine-id.] ****************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Cleaning the shell history.] *************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: PLAY RECAP *********************************************************************
    vsphere-iso.linux-ubuntu: default                    : ok=25   changed=20   unreachable=0    failed=0    skipped=16   rescued=0    ignored=0
    vsphere-iso.linux-ubuntu:
==> vsphere-iso.linux-ubuntu: Executing shutdown command...
==> vsphere-iso.linux-ubuntu: Deleting Floppy drives...
==> vsphere-iso.linux-ubuntu: Eject CD-ROM drives...
==> vsphere-iso.linux-ubuntu: Deleting CD-ROM drives...
==> vsphere-iso.linux-ubuntu: Clear boot order...
==> vsphere-iso.linux-ubuntu: Importing VM OVF template linux-ubuntu-22.04-lts-build_version to Content Library 'lib-01' as the item 'linux-ubuntu-22.04-lts-build_version' with the description 'Version: build_version
==> vsphere-iso.linux-ubuntu: Built on: 2022-11-30 08:28 UTC
==> vsphere-iso.linux-ubuntu: Built by: HashiCorp Packer 1.8.4'...
==> vsphere-iso.linux-ubuntu: Destroying VM...
==> vsphere-iso.linux-ubuntu: Running post-processor:  (type manifest)
==> vsphere-iso.linux-ubuntu: Running post-processor:
Build 'vsphere-iso.linux-ubuntu' finished after 8 minutes 30 seconds.

==> Wait completed after 8 minutes 30 seconds

==> Builds finished. The artifacts of successful builds are:
--> vsphere-iso.linux-ubuntu: linux-ubuntu-22.04-lts-build_version
--> vsphere-iso.linux-ubuntu: linux-ubuntu-22.04-lts-build_version
--> vsphere-iso.linux-ubuntu: Published metadata to HCP Packer registry packer/linux-ubuntu-2204-lts/iterations/01GK3TC8KY855EWFA025NEE7TZ
Done.

tenthirtyam
tenthirtyam reviewed Nov 30, 2022
View reviewed changes
Copy link
Contributor

@tenthirtyam tenthirtyam left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Pass on Ubuntu 22.04 LTS: OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
  • Fail on macOS Monterey (12.6.1): OpenSSH_8.6p1, LibreSSL 3.3.6
vsphere-iso.linux-photon: TASK [Gathering Facts] *********************************************************
vsphere-iso.linux-photon: fatal: [default]: FAILED! => {"msg": "failed to transfer file to /Users/johnsonryan/.<sensitive>/tmp/<sensitive>-local-689535utghcqo/tmpf7p_lub9 /home/<sensitive>/.<sensitive>/tmp/<sensitive>-tmp-1669845602.772087-68956-148654805544790/AnsiballZ_setup.py:\n\nscp: illegal option -- O\nusage: scp [-346ABCpqrTv] [-c cipher] [-F ssh_config] [-i identity_file]\n            [-J destination] [-l limit] [-o ssh_option] [-P port]\n            [-S program] source ... target\n"}

Need to test on Photon OS 4.0.

Dropped testing under the following in #393:

  • Ubuntu 20.04 LTS
  • macOS Big Sur (11.x)

Plan to test under - pending:

  • macOS Ventura (13.x)

@dhoppe
Copy link
Contributor Author

dhoppe commented Nov 30, 2022

Plan to test under:

  • macOS Ventura (13.x)

Interesting. I was using macOS Ventura, but did. an downgrade of OpenSSH to version 8.9.

I think this is related to the version of OpenSSH and not the operating system.
ansible/ansible#78600

@tenthirtyam tenthirtyam removed the status/awaitng-response Awaiting Response label Dec 1, 2022
@tenthirtyam tenthirtyam self-requested a review December 1, 2022 13:54
tenthirtyam
tenthirtyam approved these changes Dec 1, 2022
View reviewed changes
Copy link
Contributor

@tenthirtyam tenthirtyam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and verified with the latest pushed commits - LGTM! 🚀

Appreciate adding the Note to the README for OpenSSH >= 9.0.

@tenthirtyam tenthirtyam merged commit 3cce63f into vmware-samples:main Dec 1, 2022
tenthirtyam added a commit that referenced this pull request Dec 1, 2022
@tenthirtyam
docs: update CHANGELOG.md
cb3358c 
Updates `CHANGELOG.md` to include changes in #387 and #393.

Signed-off-by: Ryan Johnson <johnsonryan@vmware.com>
@tenthirtyam tenthirtyam mentioned this pull request Dec 1, 2022
Merged
10 tasks
tenthirtyam added a commit that referenced this pull request Dec 1, 2022
@tenthirtyam
docs: update CHANGELOG.md
3cf6efc 
Updates `CHANGELOG.md` to include changes in #387 and #393.

Signed-off-by: Ryan Johnson <johnsonryan@vmware.com>
tenthirtyam added a commit that referenced this pull request Dec 1, 2022
@tenthirtyam
docs: update CHANGELOG.md (#403)
103dc3b 
Updates `CHANGELOG.md` to include changes in #387 and #393.

Signed-off-by: Ryan Johnson <johnsonryan@vmware.com>
@dhoppe dhoppe deleted the ansible_ssh_extra_args branch December 7, 2022 13:15
@tenthirtyam tenthirtyam added the area/ansible Area: Ansible label Dec 13, 2022
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@tenthirtyam tenthirtyam tenthirtyam approved these changes

Assignees

@dhoppe dhoppe

Labels
area/ansible Area: Ansible size/s Small type/feature Feature
Projects
None yet
Milestone
v0.16.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dhoppe @tenthirtyam