Page MenuHomePhabricator

MW OpenStackManager: add support for ED25519 SSH keys
Closed, ResolvedPublic

Description

I was trying to add an ED25519 SSH key to my Wikitech account on https://wikitech.wikimedia.org/wiki/Special:NovaKey and I got this error:

The provided SSH key was wrong or in unknown format.

From a quick look at the code the message is mapped to the openstackmanager-keypairformatwrong localized message, that in turns is raised in https://github.com/wikimedia/mediawiki-extensions-OpenStackManager/blob/02afe523bcd6b4a16f55a8a6cb2c1e78a7abe923/special/SpecialNovaKey.php#L286 because of the failed check few lines above:

if ( !preg_match( '/(^| )ssh-(rsa|dss) /', $key ) ) {

Is there any reason to filter out ssh-ed25519 keys?
Are they not supported beside this regex check?

On a side not we should consider not accepting anymore the weak DSA ssh-dss keys, they are disabled by default in OpenSSH 7.0+.

Details

Related Gerrit Patches:
mediawiki/extensions/OpenStackManager : masterRemove support for ssh-dsa ssh keys
mediawiki/extensions/OpenStackManager : masterAdd support for ED25519 ssh key

Event Timeline

Volans created this task.Feb 26 2017, 12:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 26 2017, 12:26 PM

@Volans it doesn't look like ed25519 was intentionally un supported, see https://github.com/wikimedia/mediawiki-extensions-OpenStackManager/commit/24fb4ecdb03b053c891d89b7ba6104753a9c1366 which is from 5 years ago. So we could just add ed25519 to the check.

Change 339957 had a related patch set (by Paladox) published:
Add support for ED25519 ssh key

https://gerrit.wikimedia.org/r/339957

The check was introduced by @Platonides in 24fb4ecdb03b053c891d89b7ba6104753a9c1366. @Platonides: It looks like there was no deeper rationale behind the restriction on ssh-rsa/ssh-dss except that those were the keys in use at that time?

I believe @MoritzMuehlenhoff should have an overview if there are sshds in Labs that cannot deal with ssh-ed25519 keys.

What is the worst that could happen? A user can't log into an instance and has to upload another key?

Change 339957 merged by jenkins-bot:
Add support for ED25519 ssh key

https://gerrit.wikimedia.org/r/339957

Platonides added a comment.EditedFeb 26 2017, 9:44 PM

As noted in the commit message, it was a check just to verify that the key was in openssh format, after some people pasting keys in PuTTY format, which led to complex troubleshooting.
This commit dates from Mar 8 2012. ed25519 keys were added on December 2013.

I have approved Paladox commit. I will follow-up adding support to ecdsa, too.

Change 340026 had a related patch set (by Paladox) published:
Remove support for ssh-dsa ssh keys

https://gerrit.wikimedia.org/r/340026

I will follow-up adding support to ecdsa, too.

https://gerrit.wikimedia.org/r/340032

@scfc: All SSH daemons in labs have fully-featured support for ed25519 (even the remaining precise instances run a backport of openssh from trusty)

Change 340026 abandoned by Paladox:
Remove support for ssh-dsa ssh keys

https://gerrit.wikimedia.org/r/340026

Paladox closed this task as Resolved.Aug 28 2017, 8:50 AM

Closing as resolved as this should now work. Please re open if it does not.