[pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

* [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits
@ 2021-07-14 14:44 Stoiko Ivanov
  2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 1/2] cluster: refactor ssh pubkey verification Stoiko Ivanov
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2021-07-14 14:44 UTC (permalink / raw)
  To: pmg-devel

currently it's not possible to join a PMG cluster if the joining node (or
its root user) has a ssh-rsa key larger (or !=2048 bits)

noticed the glitch while trying to join a PMG container based on
debian-bullseye.

mid-term I'd like to also allow for other key-formats (ed25519) to work, but
since this needs a bit more work it can be postponed.

tested the patches on the same container (joining was successful)

Stoiko Ivanov (2):
  cluster: refactor ssh pubkey verification
  cluster: add '=' to ssh pubkey pattern

 src/PMG/Cluster.pm       | 5 +++--
 src/PMG/ClusterConfig.pm | 8 ++++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

-- 
2.30.2





^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pmg-devel] [PATCH pmg-api 1/2] cluster: refactor ssh pubkey verification
  2021-07-14 14:44 [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Stoiko Ivanov
@ 2021-07-14 14:44 ` Stoiko Ivanov
  2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 2/2] cluster: add '=' to ssh pubkey pattern Stoiko Ivanov
  2021-07-14 16:02 ` [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Thomas Lamprecht
  2 siblings, 0 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2021-07-14 14:44 UTC (permalink / raw)
  To: pmg-devel

to only have the regex in one place.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PMG/Cluster.pm       | 5 +++--
 src/PMG/ClusterConfig.pm | 8 ++++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/PMG/Cluster.pm b/src/PMG/Cluster.pm
index 131b41f..127d597 100644
--- a/src/PMG/Cluster.pm
+++ b/src/PMG/Cluster.pm
@@ -94,8 +94,9 @@ sub read_local_cluster_info {
     $hostrsapubkey =~ s/^.*ssh-rsa\s+//i;
     $hostrsapubkey =~ s/\s+root\@\S+\s*$//i;
 
+    my $sshpubkeypattern = PMG::ClusterConfig::Node::valid_ssh_pubkey();
     die "unable to parse ${hostrsapubkey_fn}\n"
-	if $hostrsapubkey !~ m/^[A-Za-z0-9\.\/\+]{200,}$/;
+	if $hostrsapubkey !~ m/$sshpubkeypattern/;
 
     my $nodename = PVE::INotify::nodename();
 
@@ -117,7 +118,7 @@ sub read_local_cluster_info {
     $rootrsapubkey =~ s/\s+root\@\S+\s*$//i;
 
     die "unable to parse ${rootrsapubkey_fn}\n"
-	if $rootrsapubkey !~ m/^[A-Za-z0-9\.\/\+]{200,}$/;
+	if $rootrsapubkey !~ m/$sshpubkeypattern/;
 
     $res->{rootrsapubkey} = $rootrsapubkey;
 
diff --git a/src/PMG/ClusterConfig.pm b/src/PMG/ClusterConfig.pm
index 166e927..b615a6c 100644
--- a/src/PMG/ClusterConfig.pm
+++ b/src/PMG/ClusterConfig.pm
@@ -45,6 +45,10 @@ use warnings;
 
 use base qw(PMG::ClusterConfig::Base);
 
+sub valid_ssh_pubkey {
+    return'^[A-Za-z0-9\.\/\+]{200,}$';
+}
+
 sub type {
     return 'node';
 }
@@ -61,12 +65,12 @@ sub properties {
 	hostrsapubkey => {
 	    description => "Public SSH RSA key for the host.",
 	    type => 'string',
-	    pattern => '^[A-Za-z0-9\.\/\+]{200,}$',
+	    pattern => valid_ssh_pubkey(),
 	},
 	rootrsapubkey => {
 	    description => "Public SSH RSA key for the root user.",
 	    type => 'string',
-	    pattern => '^[A-Za-z0-9\.\/\+]{200,}$',
+	    pattern => valid_ssh_pubkey(),
 	},
 	fingerprint => {
 	    description => "SSL certificate fingerprint.",
-- 
2.30.2





^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pmg-devel] [PATCH pmg-api 2/2] cluster: add '=' to ssh pubkey pattern
  2021-07-14 14:44 [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Stoiko Ivanov
  2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 1/2] cluster: refactor ssh pubkey verification Stoiko Ivanov
@ 2021-07-14 14:44 ` Stoiko Ivanov
  2021-07-14 16:02 ` [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Thomas Lamprecht
  2 siblings, 0 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2021-07-14 14:44 UTC (permalink / raw)
  To: pmg-devel

ssh public keys are base64 encoded, thus can potentially contain =.
until now the RSA keys generated by Debian were 2048 bits long and did
not need padding

with bullseye (openssh (1:8.0p1-1)) the RSA keysize got increased to
3072 bits, and now does contain a =

noticed while trying to join a PMG container from a bullseye template
to my existing cluster (the error happens on the new node).

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PMG/ClusterConfig.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PMG/ClusterConfig.pm b/src/PMG/ClusterConfig.pm
index b615a6c..8d77cc4 100644
--- a/src/PMG/ClusterConfig.pm
+++ b/src/PMG/ClusterConfig.pm
@@ -46,7 +46,7 @@ use warnings;
 use base qw(PMG::ClusterConfig::Base);
 
 sub valid_ssh_pubkey {
-    return'^[A-Za-z0-9\.\/\+]{200,}$';
+    return'^[A-Za-z0-9\.\/\+=]{200,}$';
 }
 
 sub type {
-- 
2.30.2





^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits
  2021-07-14 14:44 [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Stoiko Ivanov
  2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 1/2] cluster: refactor ssh pubkey verification Stoiko Ivanov
  2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 2/2] cluster: add '=' to ssh pubkey pattern Stoiko Ivanov
@ 2021-07-14 16:02 ` Thomas Lamprecht
  2 siblings, 0 replies; 4+ messages in thread
From: Thomas Lamprecht @ 2021-07-14 16:02 UTC (permalink / raw)
  To: Stoiko Ivanov, pmg-devel

On 14.07.21 16:44, Stoiko Ivanov wrote:
> currently it's not possible to join a PMG cluster if the joining node (or
> its root user) has a ssh-rsa key larger (or !=2048 bits)
> 
> noticed the glitch while trying to join a PMG container based on
> debian-bullseye.
> 
> mid-term I'd like to also allow for other key-formats (ed25519) to work, but
> since this needs a bit more work it can be postponed.
> 

or drop using ssh completely ;-) 

> tested the patches on the same container (joining was successful)
> 
> Stoiko Ivanov (2):
>   cluster: refactor ssh pubkey verification
>   cluster: add '=' to ssh pubkey pattern
> 
>  src/PMG/Cluster.pm       | 5 +++--
>  src/PMG/ClusterConfig.pm | 8 ++++++--
>  2 files changed, 9 insertions(+), 4 deletions(-)
> 

applied both patches, added the missing space in the return statement and suffixed
the method name with the _regex




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-07-14 16:03 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-14 14:44 [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Stoiko Ivanov
2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 1/2] cluster: refactor ssh pubkey verification Stoiko Ivanov
2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 2/2] cluster: add '=' to ssh pubkey pattern Stoiko Ivanov
2021-07-14 16:02 ` [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Thomas Lamprecht

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal