API server accepts modern SSH key types (elliptic curve/ecdsa/ed25519)
The API server validates SSH public keys: see
This validation uses the sshkey gem which claims to only support RSA and DSA keys.
We would like to support all the same key types as OpenSSH: dsa, ecdsa, ecdsa-sk, ed25519, ed25519-sk, rsa
Figure out what our options are for validating other public key types, and implement one.
Updated by Brett Smith 9 months ago
Based on this StackOverflow, one option seems to be to pipe the key to
ssh-keygen -l -f -.
ssh-keygen -l tries to generate a public key's fingerprint. If it can't parse a key in the input it exits nonzero, so you can just discard all the output and look at the exit code. I tested to confirm this actually works.
One upside of this approach is it means there'll be a better match between the key types Arvados accepts, and the key types the server is likely to actually understand. There can still be mismatch from OpenSSH server configuration but it's at least closer.
- Status changed from New to In Progress
The go ssh library can validate all the keys currently accepted by openssh-client, without forking a subprocess.
(Subprocesses of Passenger workers in particular always seem to turn into problems eventually.)
So I'm going to see if this can be done entirely in controller.
Most of the example keys in tests were trivial to generate with ssh-keygen. I had to use an authenticator dongle to generate an ecdsa-sk key.
For completeness I would like to add an ed25519-sk key, but I haven't figured out how to generate one. Meanwhile, all the other key types just worked, so I expect ed25519-sk will also just work.
Updated by Brett Smith 8 months ago
Tom Clegg wrote in #note-9:
This looks good to me. All the code's great. My only thought is it would be nice if at least one test key had a comment with whitespace. This is totally legit (
ssh-keygen -C "test key") and something that some Mac clients seem to like to do. The current code seems to handle it fine, but a test would be good to make sure we don't accidentally break that in the future.
For completeness I would like to add an ed25519-sk key, but I haven't figured out how to generate one.
Hm, that's the type I have, it should conceptually be the same as ecdsa-sk. I could contribute a public key to the branch if you want?