kola: support for ssh RSA key types other than RSA-SHA1 #1772
Comments
|
@dustymabe isn't this closed with #1749? |
See #1767 |
|
Temporarily worked around this in the configs. This is a very short term change. We don't want to have f33 go to |
|
Benjamin pointed out that the changes in Fedora and eventually openssh don't actually mean we have to change the key we're generating, but rather the key exchange algorithm. In order to do that we need to update our ssh client ( cc @bgilbert for fact checking. |
|
Right. We could disable the Afterburn test exclusively on AWS. It's possible that we might still need to pass AWS a fake RSA key to make the API happy. |
In 5c036d1 we swtched to ecdsa keys for the new crypto policy change. In fdcfbbc we switched it back because when we create new ssh keys on AWS we'd get an error because that platform only accepts rsa keys: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws For now add both a rsa key and a ecdsa key. Using an ecdsa key allows us to workaround the updated crypto policies in F33+ that disallow the RSA SHA-1 keyexchange algorithm, but we still need an ssh-rsa key because AWS only supports ssh-rsa keys and a key gets generated and added to AWS every time we start a kola run. We'll add the rsa key first since platform/machine/aws/flight.go only adds the first key (keys[0]). We should be able to go back to RSA keys only when the golang library is updated. More info in: coreos#1772
In 5c036d1 we swtched to ecdsa keys for the new crypto policy change. In fdcfbbc we switched it back because when we create new ssh keys on AWS we'd get an error because that platform only accepts rsa keys: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws For now add both a rsa key and a ecdsa key. Using an ecdsa key allows us to workaround the updated crypto policies in F33+ that disallow the RSA SHA-1 keyexchange algorithm, but we still need an ssh-rsa key because AWS only supports ssh-rsa keys and a key gets generated and added to AWS every time we start a kola run. We'll add the rsa key first since platform/machine/aws/flight.go only adds the first key (keys[0]). We should be able to go back to RSA keys only when the golang library is updated. More info in: coreos#1772
In 5c036d1 we swtched to ecdsa keys for the new crypto policy change. In fdcfbbc we switched it back because when we create new ssh keys on AWS we'd get an error because that platform only accepts rsa keys: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws For now let's disable the `fcos.ignition.v3.noop` on AWS and just use a fake key for that platform to satisfy the requirement. Eventually we'll switch back to RSA keys once the golang library has been updated. See coreos#1772
In 5c036d1 we swtched to ecdsa keys for the new crypto policy change. In fdcfbbc we switched it back because when we create new ssh keys on AWS we'd get an error because that platform only accepts rsa keys: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws For now let's disable the `fcos.ignition.v3.noop` on AWS and just use a fake key for that platform to satisfy the requirement. Eventually we'll switch back to RSA keys once the golang library has been updated. See coreos#1772
In 5c036d1 we switched to ecdsa keys for the new crypto policy change. In fdcfbbc we switched it back because when we create new ssh keys on AWS we'd get an error because that platform only accepts rsa keys: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws For now let's disable the `fcos.ignition.v3.noop` on AWS, use a fake key for that platform to satisfy the requirement, and use an ECDSA key everywhere else. Eventually we'll switch back to RSA keys once the golang library has been updated. See coreos#1772
In 5c036d1 we switched to ecdsa keys for the new crypto policy change. In fdcfbbc we switched it back because when we create new ssh keys on AWS we'd get an error because that platform only accepts rsa keys: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws For now let's disable the `fcos.ignition.v3.noop` on AWS, use a fake key for that platform to satisfy the requirement, and use an ECDSA key on other clouds and in all Ignition configs. Eventually we'll switch back to a single RSA key once the golang library has been updated. See coreos#1772
In 5c036d1 we switched to ecdsa keys for the new crypto policy change. In fdcfbbc we switched it back because when we create new ssh keys on AWS we'd get an error because that platform only accepts rsa keys: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws For now let's disable the `fcos.ignition.v3.noop` on AWS, use a fake key for that platform to satisfy the requirement, and use an ECDSA key on other clouds and in all Ignition configs. Eventually we'll switch back to a single RSA key once the golang library has been updated. See #1772
|
ok we're working around this temporarily by using an ecdsa key for Ignition/other cloud providers and using a throwaway key for AWS, and also disabling the |
|
Excitingly, Azure doesn't support Ed25519. |
I wonder if there is an issue somewhere where we could follow updates on that. Anywho, we should be able to just switch on type of key the way we currently do (see ac54a8a) and re-enable the |
To be clear, are you proposing generating different key types for different platforms? There's no non-RSA key type that's supported by every platform. |
we can just use EDCSA in most places (what we're doing now) and then switch AWS to Ed25519 instead of RSA, which is what we're currently doing: coreos-assembler/mantle/platform/machine/aws/flight.go Lines 61 to 78 in 602bd2a Maybe there's something I'm missing? |
|
Again, just to be clear, your proposal is to plumb a platform-specific key type into the code that generates the real keys? The thing that's confusing me is that the implication that we're doing something similar now, which we are not. The snippet you quoted generates a non-operable key for AWS. |
|
Indeed. As is often the case things are more complicated than they seem. I saw that we were generating an RSA key for AWS only and assumed we could just do the same thing but make it an I think you're implying to make it usable we'd need to update other parts of the code. |
|
Right, we're generating an unused RSA key there only because the API requires that we provide something. I do think we could plumb a key type argument into the key generation code; the call stack is It doesn't look like there's been much movement on golang/go#37278. |
|
It turns out that Azure doesn't support ECDSA either, so kola currently can't run tests on Azure (#2445). |
|
golang/go#37278 was fixed upstream, but it appears to be scoped to SSH host keys and not pubkey authentication. I think we need golang/go#39885 for that. |
|
@bgilbert does that mean that we are still blocked on this until golang/go#39885 is done? |
|
Yup. |
Basically we need to support a key type other than RSA-SHA1 so that kola can ssh in to F33+.
The short term plan is to only re-enable RSA-SHA1 briefly while we wait for an upstream feature [1] to be implemented. We had moved to an ecdsa key [2] but AWS doesn't support non RSA keys [3] so we reverted it for now in [4].
[1] golang/go#37278 (comment)
[2] #1749
[3] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws
[4] #1767
Once the upstream golang issue is fixed let's pick up that work in mantle/kola.
The text was updated successfully, but these errors were encountered: