Story #20241
open
API server accepts modern SSH key types (elliptic curve/ecdsa/ed25519)
0%
Description
The API server validates SSH public keys: see public_key_must_be_unique in services/api/app/models/authorized_key.rb.
This validation uses the sshkey gem which claims to only support RSA and DSA keys.
We would like to support all the same key types as OpenSSH: dsa, ecdsa, ecdsa-sk, ed25519, ed25519-sk, rsa
Figure out what our options are for validating other public key types, and implement one.
Related issues
Updated by Brett Smith 17 days ago
- Blocks Story #20224: Workbench 2 accepts modern SSH key types (elliptic curve/ecdsa/ed25519) added
Updated by Brett Smith 17 days ago
I searched Rubygems for another gem that does the same job as sshkey and didn't find one (but admittedly it's hard to narrow down the search, it's possible I missed one). I'm gonna investigate if there are other reasonable ways to do this.
Updated by Brett Smith 17 days ago
Based on this StackOverflow, one option seems to be to pipe the key to ssh-keygen -l -f -. ssh-keygen -l tries to generate a public key's fingerprint. If it can't parse a key in the input it exits nonzero, so you can just discard all the output and look at the exit code. I tested to confirm this actually works.
One upside of this approach is it means there'll be a better match between the key types Arvados accepts, and the key types the server is likely to actually understand. There can still be mismatch from OpenSSH server configuration but it's at least closer.