Project

General

Profile

Actions

Story #20241

open

API server accepts modern SSH key types (elliptic curve/ecdsa/ed25519)

Added by Brett Smith 17 days ago. Updated 4 days ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
API
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
-

Description

The API server validates SSH public keys: see public_key_must_be_unique in services/api/app/models/authorized_key.rb.

This validation uses the sshkey gem which claims to only support RSA and DSA keys.

We would like to support all the same key types as OpenSSH: dsa, ecdsa, ecdsa-sk, ed25519, ed25519-sk, rsa

Figure out what our options are for validating other public key types, and implement one.


Related issues

Blocks Arvados - Story #20224: Workbench 2 accepts modern SSH key types (elliptic curve/ecdsa/ed25519)New

Actions
Actions #1

Updated by Brett Smith 17 days ago

  • Blocks Story #20224: Workbench 2 accepts modern SSH key types (elliptic curve/ecdsa/ed25519) added
Actions #2

Updated by Brett Smith 17 days ago

I searched Rubygems for another gem that does the same job as sshkey and didn't find one (but admittedly it's hard to narrow down the search, it's possible I missed one). I'm gonna investigate if there are other reasonable ways to do this.

Actions #3

Updated by Brett Smith 17 days ago

Based on this StackOverflow, one option seems to be to pipe the key to ssh-keygen -l -f -. ssh-keygen -l tries to generate a public key's fingerprint. If it can't parse a key in the input it exits nonzero, so you can just discard all the output and look at the exit code. I tested to confirm this actually works.

One upside of this approach is it means there'll be a better match between the key types Arvados accepts, and the key types the server is likely to actually understand. There can still be mismatch from OpenSSH server configuration but it's at least closer.

Actions

Also available in: Atom PDF