Feature #134
Transition from using ssh-vulnkey to using ssh-keygen to validate keys
| Status: | In Progress | Start: | 2016-04-17 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Votes: | 3 |
Description
It's not currently possible to add ed25519 algorithm SSH public keys to the panel because the blacklisted/valid key check is using a binary that's too old to understand that algorithm, so it just says it's an invalid key.
Short term this might mean disabling the validation (apart from some very simple sanity checks), or it may be possible to install a backport.
History
Updated by admin about 9 years ago
- Status changed from New to In Progress
Okay, I've now added configuration that disables SSH public key validation so it's now possible to add keys that ssh-vulnkey isn't able to parse.
Updated by admin about 9 years ago
- Subject changed from Support ed25519 SSH key algorithm to Transition from using ssh-vulnkey to using ssh-keygen to validate keys
ssh-vulnkey doesn't exist in jessie and really ssh-keygen should be used there to validate key data, so I'll now rename this feature to show that is the proper fix.
Updated by thngateway over 3 years ago
Can confirm this works fine with "ssh-ed25519" keys.
I tried adding a "ecdsa-sha2-nistp521" format key that my laptop created but it doesn't accept those "That doesn't look like a valid SSH public key!" is the error message returned.
Updated by halleck over 3 years ago
Neither does "ed25519-sk" keys seem to be accepted.
In case ssh-keygen is already in use it will need to be an OpenSSH 8.2+ ssh-keygen to recognize ed25519-sk and ecdsa-sk keys.
Updated by admin over 3 years ago
It's not using ssh-keygen yet, it's just a simple regex and I hadn't included ecdsa-sha2-nistp521 in the check even though they would work.
ecdsa-sha2-nistp256-cert-v01@openssh.comecdsa-sha2-nistp384-cert-v01@openssh.comecdsa-sha2-nistp521-cert-v01@openssh.comssh-ed25519-cert-v01@openssh.comrsa-sha2-512-cert-v01@openssh.comrsa-sha2-256-cert-v01@openssh.comssh-rsa-cert-v01@openssh.comecdsa-sha2-nistp256ecdsa-sha2-nistp384ecdsa-sha2-nistp521ssh-ed25519rsa-sha2-512rsa-sha2-256ssh-rsa
Most of the dom0s are OpenSSH 7.9 at the moment so no FIDO key support likeed25519-sk yet I'm afraid.
Updated by admin over 3 years ago
I've updated the regex to accept all of the above key types. Previously it was only the ones that begin with ssh-.