Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new OpenSSH 8.2 keytypes (ecdsa-sk and ed25519-sk) not supported by authorized_key-module #17

Closed
dennisse opened this issue Apr 27, 2020 · 6 comments
Closed

new OpenSSH 8.2 keytypes (ecdsa-sk and ed25519-sk) not supported by authorized_key-module #17

dennisse opened this issue Apr 27, 2020 · 6 comments

Comments

@dennisse
Copy link

SUMMARY

When trying to use the authorized_key-module to add one of the new ecdsa-sk-keys OpenSSH 8.2 supports, I get an error saying invalid key specified.

Looking through

ansible.posix/plugins/modules/authorized_key.py

Line 390 in 7e70deb

VALID_SSH2_KEY_TYPES = [
it seems ansible checks keys to see if they match a value in this list. [email protected] and [email protected] (see SSHD man page for full list of keytypes) should be added. I don't know if just adding the keytype to this list will be enough. I don't really know python, but just adding the keytype to this list did not solve the issue on my system, so there might be some additional work needed.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

authorized_key

ANSIBLE VERSION
ansible 2.9.6
CONFIGURATION
ANSIBLE_NOCOWS(env: ANSIBLE_NOCOWS) = True
OS / ENVIRONMENT

Ansible is run on macOS Catalina, 10.15.4, agains hosts running Ubuntu 20.04.

STEPS TO REPRODUCE
---
- hosts: test
  gather_facts: false
  tasks:
    - name: test pubkey
      authorized_key:
        key: "[email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBI6ehr2PuvCMscCnNypBrLudMZn1DzwQPV/QX8AZ6QhdOt5nAvZv2Hk/WrjNIoYfqZYgQan/J0vHThfRbLVtYboAAAAEc3NoOg== ansikey@host"
        user: root
EXPECTED RESULTS

I expect the key to be added to /root/.ssh/authorized_keys.

ACTUAL RESULTS
~$ ansible-playbook play-test.yaml

PLAY [test] ********************************************************************************************

TASK [test pubkey] **************************************************************************************
fatal: [test]: FAILED! => {"changed": false, "msg": "invalid key specified: [email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBI6ehr2PuvCMscCnNypBrLudMZn1DzwQPV/QX8AZ6QhdOt5nAvZv2Hk/WrjNIoYfqZYgQan/J0vHThfRbLVtYboAAAAEc3NoOg== ansikey@host"}

PLAY RECAP **********************************************************************************************
test                      : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
@dennisse dennisse mentioned this issue Apr 27, 2020
Closed
@fbettag
Copy link
Contributor

fbettag commented May 29, 2020

My Pull-Request at least remedies sk-ecdsa. Any idea how it looks for ed25519?

#30

@fbettag
Copy link
Contributor

fbettag commented May 31, 2020

i just ammended my PR to contain all current ssh key types.

@maxamillion
Copy link
Collaborator

Fixed by #30

@maxamillion
Copy link
Collaborator

@fbettag Thank you for the pull request, greatly appreciate the contribution!

@savchenko
Copy link

@maxamillion , it looks like -SK keys aren't supported by Ansible core (ansible/ansible#75519) but can be provisioned by the posix collection... Am I reading this right? If so, warning users about side-effects might be worthwhile.

@Akasurde
Copy link
Member

@savchenko authorized_key handles all key types irrespective of whether it is supported by Ansible. We can add a note in the documentation about this. Please feel to open a PR. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fbettag @savchenko @Akasurde @dennisse @maxamillion