Supporting restricted SSH keys

[mboisson]

I wanted to restrict the keys that are used in the centos account, so that they can only be used from specific IP address ranges to get some protection in case of compromise, but that results in :

Failed to apply catalog: Parameter type failed on Ssh_authorized_key[centos_AAAAC3NzaC1lZDI1NTE5AAAAIExK6iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw]: Invalid value "from='<REDACTED>'". Valid values are ssh-dss, ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519, sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com, ssh-rsa-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-dss-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com. (file: /etc/puppetlabs/code/environments/production/site/profile/manifests/users.pp, line: 171)

Is that a check that is done by puppet ?

[cmd-ntrf]

Puppet appears to support options, but we will have to improve how we parse the SSH key string to create the resource. Currently, we assumed the key would have the format <TYPE> <KEY> [<COMMENT>], so when you add options at the beginning, we incorrectly assume that the options are the type, the type the key, and the key the comment.

We would need to improve the following code to support [<OPTIONS>] <TYPE> <KEY> [<COMMENT>]:
https://github.com/ComputeCanada/puppet-magic_castle/blob/main/site/profile/manifests/users.pp#L145

[mboisson]

Instead of splitting on space, we should split on the key types:
https://www.puppet.com/docs/puppet/5.5/types/ssh_authorized_key.html, i.e.

ssh-dss
ssh-rsa
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-ed25519
dsa
ed25519
rsa

i.e., something like (my puppet-regexp-fu isn't great, so there may be errors):

$type = ""
if $sshkey =~ /.*( ssh-dss | ssh-rsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | ecdsa-sha2-nistp521 | ssh-ed25519 | dsa | ed25519 | rsa ).*/ {
  $type = "${0}"
}
if $type != "" {
  $keyparts = split($sshkey, Regexp['/ ssh-dss | ssh-rsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | ecdsa-sha2-nistp521 | ssh-ed25519 | dsa | ed25519 | rsa /'])
  if length($keyparts) > 1 {
    $options = "$keyparts[0]"
    $key = "$keyparts[1]"
  }
  else {
    $key = "$keyparts[0]"
  }
}
...

[mboisson]

With the support for restricted keys, could we make it so that Terraform cloud's IP address(es) is(are) added to their keys for the centos account ?

[mboisson]

Hum, looking at the connection logs using the key generated for Terraform cloud, the connections seem to come from a rather large range of IP addresses (at least 27 different IP addresses). That may not be so easy to specify...

It seems to be a large number of instances on AWS EC2.

We probably need to setup our own runner for this to make any sense for the key used by Terraform cloud.