* [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits @ 2021-07-14 14:44 Stoiko Ivanov 2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 1/2] cluster: refactor ssh pubkey verification Stoiko Ivanov ` (2 more replies) 0 siblings, 3 replies; 4+ messages in thread From: Stoiko Ivanov @ 2021-07-14 14:44 UTC (permalink / raw) To: pmg-devel currently it's not possible to join a PMG cluster if the joining node (or its root user) has a ssh-rsa key larger (or !=2048 bits) noticed the glitch while trying to join a PMG container based on debian-bullseye. mid-term I'd like to also allow for other key-formats (ed25519) to work, but since this needs a bit more work it can be postponed. tested the patches on the same container (joining was successful) Stoiko Ivanov (2): cluster: refactor ssh pubkey verification cluster: add '=' to ssh pubkey pattern src/PMG/Cluster.pm | 5 +++-- src/PMG/ClusterConfig.pm | 8 ++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) -- 2.30.2 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [pmg-devel] [PATCH pmg-api 1/2] cluster: refactor ssh pubkey verification 2021-07-14 14:44 [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Stoiko Ivanov @ 2021-07-14 14:44 ` Stoiko Ivanov 2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 2/2] cluster: add '=' to ssh pubkey pattern Stoiko Ivanov 2021-07-14 16:02 ` [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Thomas Lamprecht 2 siblings, 0 replies; 4+ messages in thread From: Stoiko Ivanov @ 2021-07-14 14:44 UTC (permalink / raw) To: pmg-devel to only have the regex in one place. Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> --- src/PMG/Cluster.pm | 5 +++-- src/PMG/ClusterConfig.pm | 8 ++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/PMG/Cluster.pm b/src/PMG/Cluster.pm index 131b41f..127d597 100644 --- a/src/PMG/Cluster.pm +++ b/src/PMG/Cluster.pm @@ -94,8 +94,9 @@ sub read_local_cluster_info { $hostrsapubkey =~ s/^.*ssh-rsa\s+//i; $hostrsapubkey =~ s/\s+root\@\S+\s*$//i; + my $sshpubkeypattern = PMG::ClusterConfig::Node::valid_ssh_pubkey(); die "unable to parse ${hostrsapubkey_fn}\n" - if $hostrsapubkey !~ m/^[A-Za-z0-9\.\/\+]{200,}$/; + if $hostrsapubkey !~ m/$sshpubkeypattern/; my $nodename = PVE::INotify::nodename(); @@ -117,7 +118,7 @@ sub read_local_cluster_info { $rootrsapubkey =~ s/\s+root\@\S+\s*$//i; die "unable to parse ${rootrsapubkey_fn}\n" - if $rootrsapubkey !~ m/^[A-Za-z0-9\.\/\+]{200,}$/; + if $rootrsapubkey !~ m/$sshpubkeypattern/; $res->{rootrsapubkey} = $rootrsapubkey; diff --git a/src/PMG/ClusterConfig.pm b/src/PMG/ClusterConfig.pm index 166e927..b615a6c 100644 --- a/src/PMG/ClusterConfig.pm +++ b/src/PMG/ClusterConfig.pm @@ -45,6 +45,10 @@ use warnings; use base qw(PMG::ClusterConfig::Base); +sub valid_ssh_pubkey { + return'^[A-Za-z0-9\.\/\+]{200,}$'; +} + sub type { return 'node'; } @@ -61,12 +65,12 @@ sub properties { hostrsapubkey => { description => "Public SSH RSA key for the host.", type => 'string', - pattern => '^[A-Za-z0-9\.\/\+]{200,}$', + pattern => valid_ssh_pubkey(), }, rootrsapubkey => { description => "Public SSH RSA key for the root user.", type => 'string', - pattern => '^[A-Za-z0-9\.\/\+]{200,}$', + pattern => valid_ssh_pubkey(), }, fingerprint => { description => "SSL certificate fingerprint.", -- 2.30.2 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [pmg-devel] [PATCH pmg-api 2/2] cluster: add '=' to ssh pubkey pattern 2021-07-14 14:44 [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Stoiko Ivanov 2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 1/2] cluster: refactor ssh pubkey verification Stoiko Ivanov @ 2021-07-14 14:44 ` Stoiko Ivanov 2021-07-14 16:02 ` [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Thomas Lamprecht 2 siblings, 0 replies; 4+ messages in thread From: Stoiko Ivanov @ 2021-07-14 14:44 UTC (permalink / raw) To: pmg-devel ssh public keys are base64 encoded, thus can potentially contain =. until now the RSA keys generated by Debian were 2048 bits long and did not need padding with bullseye (openssh (1:8.0p1-1)) the RSA keysize got increased to 3072 bits, and now does contain a = noticed while trying to join a PMG container from a bullseye template to my existing cluster (the error happens on the new node). Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> --- src/PMG/ClusterConfig.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PMG/ClusterConfig.pm b/src/PMG/ClusterConfig.pm index b615a6c..8d77cc4 100644 --- a/src/PMG/ClusterConfig.pm +++ b/src/PMG/ClusterConfig.pm @@ -46,7 +46,7 @@ use warnings; use base qw(PMG::ClusterConfig::Base); sub valid_ssh_pubkey { - return'^[A-Za-z0-9\.\/\+]{200,}$'; + return'^[A-Za-z0-9\.\/\+=]{200,}$'; } sub type { -- 2.30.2 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits 2021-07-14 14:44 [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Stoiko Ivanov 2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 1/2] cluster: refactor ssh pubkey verification Stoiko Ivanov 2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 2/2] cluster: add '=' to ssh pubkey pattern Stoiko Ivanov @ 2021-07-14 16:02 ` Thomas Lamprecht 2 siblings, 0 replies; 4+ messages in thread From: Thomas Lamprecht @ 2021-07-14 16:02 UTC (permalink / raw) To: Stoiko Ivanov, pmg-devel On 14.07.21 16:44, Stoiko Ivanov wrote: > currently it's not possible to join a PMG cluster if the joining node (or > its root user) has a ssh-rsa key larger (or !=2048 bits) > > noticed the glitch while trying to join a PMG container based on > debian-bullseye. > > mid-term I'd like to also allow for other key-formats (ed25519) to work, but > since this needs a bit more work it can be postponed. > or drop using ssh completely ;-) > tested the patches on the same container (joining was successful) > > Stoiko Ivanov (2): > cluster: refactor ssh pubkey verification > cluster: add '=' to ssh pubkey pattern > > src/PMG/Cluster.pm | 5 +++-- > src/PMG/ClusterConfig.pm | 8 ++++++-- > 2 files changed, 9 insertions(+), 4 deletions(-) > applied both patches, added the missing space in the return statement and suffixed the method name with the _regex ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-07-14 16:03 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-07-14 14:44 [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Stoiko Ivanov 2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 1/2] cluster: refactor ssh pubkey verification Stoiko Ivanov 2021-07-14 14:44 ` [pmg-devel] [PATCH pmg-api 2/2] cluster: add '=' to ssh pubkey pattern Stoiko Ivanov 2021-07-14 16:02 ` [pmg-devel] [PATCH pmg-api 0/2] fix clusterjoin with ssh-keys !=2048 bits Thomas Lamprecht
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox