Skip to content

Commit

Permalink
enh: use print_accepted_key_algorithms everywhere
Browse files Browse the repository at this point in the history
speed47 committed Apr 10, 2024
1 parent 321c592 commit 3c9382a
Showing 15 changed files with 144 additions and 273 deletions.
6 changes: 3 additions & 3 deletions bin/plugin/group-owner/groupGenerateEgressKey
Original file line number Diff line number Diff line change
@@ -23,7 +23,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
);

sub help {
print <<"EOF";
osh_info <<"EOF";
Create a new public + private key pair for a group
Usage: --osh $scriptName --group GROUP --algo ALGO --size SIZE [--encrypted]
@@ -35,12 +35,12 @@ Usage: --osh $scriptName --group GROUP --algo ALGO --size SIZE [--encrypted]
--size SIZE Specifies the size of the key to be generated.
For RSA, choose between 2048 and 8192 (4096 is good).
For ECDSA, choose either 256, 384 or 521.
For ED25519, size is always 256.
For Ed25519, size is always 256.
--encrypted If specified, a passphrase will be prompted for the new key
EOF
OVH::Bastion::Plugin::generateEgressKey::help_algos();
OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0);
return 0;
}

4 changes: 2 additions & 2 deletions bin/plugin/open/selfAddIngressKey
Original file line number Diff line number Diff line change
@@ -61,9 +61,9 @@ if (!OVH::Bastion::has_piv_helper()) {
}

if (not defined $pubKey) {
osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
osh_info "Please paste the SSH key you want to add.";
OVH::Bastion::print_accepted_key_algorithms(way => "ingress");
osh_info "\nIn any case, don't save it without a passphrase.";
osh_info "\nPlease ensure your private key is encrypted using a proper passphrase.";

if (OVH::Bastion::config('ingressKeysFromAllowOverride')->value) {
osh_info
7 changes: 3 additions & 4 deletions bin/plugin/open/selfGenerateEgressKey
Original file line number Diff line number Diff line change
@@ -22,7 +22,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
);

sub help {
my $text = <<"EOF";
osh_info <<"EOF";
Create a new public + private key pair on your bastion account
Usage: --osh $scriptName --algo ALGO --size SIZE [--encrypted]
@@ -37,9 +37,8 @@ Usage: --osh $scriptName --algo ALGO --size SIZE [--encrypted]
--encrypted if specified, a passphrase will be prompted for the new key
EOF
osh_info($text);
OVH::Bastion::Plugin::generateEgressKey::help_algos();
return 1;
OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0);
return 0;
}

#
4 changes: 2 additions & 2 deletions bin/plugin/restricted/accountCreate
Original file line number Diff line number Diff line change
@@ -103,9 +103,9 @@ if (defined $maxInactiveDays && $maxInactiveDays < 0) {
}

if (!$pubKey && !$noKey) {
osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
osh_info "Please paste the SSH key you want to add.";
OVH::Bastion::print_accepted_key_algorithms(way => "ingress");
osh_info "\nIn any case, don't save it without a passphrase (your paste won't be echoed).";
osh_info "\nPlease ensure your private key is encrypted using a proper passphrase (your paste won't be echoed).";
$pubKey = <STDIN>;
}

39 changes: 10 additions & 29 deletions bin/plugin/restricted/groupCreate
Original file line number Diff line number Diff line change
@@ -26,46 +26,27 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
);

sub help {
require Term::ANSIColor;
my $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'egress');
my @algoList = @{$fnret->value};
my $algos = Term::ANSIColor::colored(uc join(' ', @algoList), 'green');
my $helpAlgoSize = '--algo rsa --size 4096';
if (grep { $_ eq 'ecdsa' } @algoList) {
$helpAlgoSize = '--algo ecdsa --size 521';
}
if (grep { $_ eq 'ed25519' } @algoList) {
$helpAlgoSize = '--algo ed25519';
}
osh_info <<"EOF";
Usage : --osh $scriptName --group GROUP --owner ACCOUNT $helpAlgoSize [--encrypted] [--no-key]
Description : creates group GROUP on the bastion with ACCOUNT as the owner
Params :
Create a group
Usage: --osh $scriptName --group GROUP --owner ACCOUNT <--algo ALGO --size SIZE [--encrypted]|--no-key>
--group Group name to create
--group Group name to create
--owner Preexisting bastion account to assign as owner (can be you)
--owner Preexisting bastion account to assign as owner (can be you)
--encrypted Add a passphrase to the key. Beware that you'll have to enter it for each use.
--encrypted Add a passphrase to the key. Beware that you'll have to enter it for each use.
Do NOT add the passphrase after this option, you'll be prompted interactively for it.
--algo Specifies the algo of the key, either rsa, ecdsa or ed25519.
--size Specifies the size of the key to be generated.
--algo Specifies the algo of the key, either rsa, ecdsa or ed25519.
--size Specifies the size of the key to be generated.
For RSA, choose between 2048 and 8192 (4096 is good).
For ECDSA, choose either 256, 384 or 521.
For ED25519, size is always 256.
--no-key Don't generate an egress SSH key at all for this group
With the policy and SSH version on this bastion,
the following algorithms are supported: $algos
algo size strength speed compatibility
------- ---- ---------- -------- -----------------------
RSA 4096 good slow works everywhere
ECDSA 521 strong fast debian7+ (OpenSSH 5.7+)
ED25519 256 verystrong veryfast debian8+ (OpenSSH 6.5+)
--no-key Don't generate an egress SSH key at all for this group
EOF
OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0);
return 0;
}

27 changes: 10 additions & 17 deletions bin/plugin/restricted/realmCreate
Original file line number Diff line number Diff line change
@@ -57,24 +57,17 @@ if ($fnret) {
# TODO check $from

if (!$pubKey) {
$fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
$fnret or osh_exit $fnret;
my @algoList = @{$fnret->value};
my $algos = join(' ', @algoList);
osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
if (grep { 'ed25519' eq $_ } @algoList) {
osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one";
}
if (grep { 'ecdsa' eq $_ } @algoList) {
osh_info "ECDSA : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one";
}
if (grep { 'rsa' eq $_ } @algoList) {
osh_info "RSA : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one";
}
osh_info
"\nThis should be the egress key of the group named 'realm' from the other side (your paste won't be echoed).";
osh_info("Please paste the SSH key you want to add, which should be the egress key ");
osh_info("of the group on the other side you want members to have access to this realm.");

osh_info("\nThis bastion supports the following algorithms:\n\n");

# don't display info about generating keys, as the public key is supposed to already exist
# skip fido algos as the key is supposed to be the egress key of another bastion
OVH::Bastion::print_accepted_key_algorithms(way => "ingress", fido => 0, generate => 0);

osh_info("\nNote that your paste won't be echoed:");
$pubKey = <STDIN>;
## use critic
}

$fnret = OVH::Bastion::is_valid_public_key(pubKey => $pubKey, way => 'ingress');
55 changes: 0 additions & 55 deletions doc/sphinx-plugins-override/groupCreate.override.rst

This file was deleted.

43 changes: 0 additions & 43 deletions doc/sphinx-plugins-override/selfGenerateEgressKey.override.rst

This file was deleted.

4 changes: 2 additions & 2 deletions doc/sphinx/administration/configuration/bastion_conf.rst
Original file line number Diff line number Diff line change
@@ -218,7 +218,7 @@ allowedIngressSshAlgorithms

:Default: ``[ "rsa", "ecdsa", "ed25519" ]``

The algorithms authorized for ingress ssh public keys added to this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``: unsupported algorithms are automatically omitted at runtime.
The algorithms authorized for ingress ssh public keys added to this bastion. Possible values: ``rsa``, ``ecdsa``, ``ed25519``, ``ecdsa-sk``, ``ed25519-sk``, note that some of those might not be supported by your current version of ``OpenSSH``: unsupported algorithms are automatically omitted at runtime.

.. _allowedEgressSshAlgorithms:

@@ -229,7 +229,7 @@ allowedEgressSshAlgorithms

:Default: ``[ "rsa", "ecdsa", "ed25519" ]``

The algorithms authorized for egress ssh public keys generated on this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``, unsupported algorithms are automatically omitted at runtime.
The algorithms authorized for egress ssh public keys generated on this bastion. Possible values: ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``, unsupported algorithms are automatically omitted at runtime.

.. _minimumIngressRsaKeySize:

18 changes: 6 additions & 12 deletions doc/sphinx/plugins/group-owner/groupGenerateEgressKey.rst
Original file line number Diff line number Diff line change
@@ -30,27 +30,21 @@ Create a new public + private key pair for a group

For RSA, choose between 2048 and 8192 (4096 is good).
For ECDSA, choose either 256, 384 or 521.
For ED25519, size is always 256.
For Ed25519, size is always 256.

.. option:: --encrypted

If specified, a passphrase will be prompted for the new key


Note that the actually available algorithms on a bastion depend on the underlying OS and the configured policy.

A quick overview of the different algorithms::
A quick overview of the different algorithms:

.. code-block:: none
+---------+------+----------+-------+-----------------------------------------+
| algo | size | strength | speed | compatibility |
+=========+======+==========+=======+=========================================+
| DSA | any | 0 | n/a | obsolete, do not use |
| RSA | 2048 | ** | ** | works everywhere |
| RSA | 4096 | *** | * | works almost everywhere |
| ECDSA | 521 | **** | ***** | OpenSSH 5.7+ (Debian 7+, Ubuntu 12.04+) |
| Ed25519 | 256 | ***** | ***** | OpenSSH 6.5+ (Debian 8+, Ubuntu 14.04+) |
+---------+------+----------+-------+-----------------------------------------+
Ed25519 : robustness[###] speed[###]
ECDSA : robustness[##.] speed[###]
RSA : robustness[#..] speed[#..]
This table is meant as a quick cheat-sheet, you're warmly advised to do
your own research, as other constraints may apply to your environment.
40 changes: 19 additions & 21 deletions doc/sphinx/plugins/open/selfGenerateEgressKey.rst
Original file line number Diff line number Diff line change
@@ -2,46 +2,44 @@
selfGenerateEgressKey
======================

Create a new egress key pair on your account
============================================
Create a new public + private key pair on your bastion account
==============================================================


.. admonition:: usage
:class: cmdusage

--osh selfGenerateEgressKey --algo ALGO --size SIZE [--encrypted]

.. program:: selfForgetHostKey
.. program:: selfGenerateEgressKey


.. option:: --algo ALGO

Specifies the algo of the key, usually either rsa, ecdsa or ed25519. Note that the available algorithms depend on the OS the bastion is running on, along with its configuration policies
Specifies the algo of the key, either rsa, ecdsa or ed25519.


.. option:: --size SIZE

Specifies the size of the key to be generated.
For RSA, choose between 2048 and 8192 (any value above 4096 is probably not very useful).
For ECDSA, choose either 256, 384 or 521.
For ED25519, size is always 256.

For RSA, choose between 2048 and 8192 (4096 is good).
For ECDSA, choose either 256, 384 or 521.
For ED25519, size is always 256.

.. option:: --encrypted

When specified, a passphrase will be prompted for the new key, and the private key will be stored encrypted on the bastion. Note that the passphrase will be required each time you want to use the key.
if specified, a passphrase will be prompted for the new key



Algorithms guideline
====================
A quick overview of the different algorithms:

A quick overview of the different algorithms::
.. code-block:: none
+---------+------+-----------+---------+-----------------------------------------+
| algo | size | strength | speed | compatibility |
+=========+======+===========+=========+=========================================+
| DSA | any | 0 | n/a | obsolete, do not use |
| RSA | 2048 | ** | ** | works everywhere |
| RSA | 4096 | *** | * | works almost everywhere |
| ECDSA | 521 | **** | ***** | OpenSSH 5.7+ (debian 7+, ubuntu 12.04+) |
| ED25519 | 256 | ***** | ***** | OpenSSH 6.5+ (debian 8+, ubuntu 14.04+) |
+---------+------+-----------+---------+-----------------------------------------+
Ed25519 : robustness[###] speed[###]
ECDSA : robustness[##.] speed[###]
RSA : robustness[#..] speed[#..]
This table is meant as a quick cheat-sheet, you're warmly advised to do your own research, as other constraints may apply to your environment.
This table is meant as a quick cheat-sheet, you're warmly advised to do
your own research, as other constraints may apply to your environment.
60 changes: 30 additions & 30 deletions doc/sphinx/plugins/restricted/groupCreate.rst
Original file line number Diff line number Diff line change
@@ -2,58 +2,58 @@
groupCreate
============

Create a new bastion group
==========================
Create a group
==============


.. admonition:: usage
:class: cmdusage

--osh groupCreate --group NAME --owner ACCOUNT --algo ALGO --size SIZE [OPTIONS]
--osh groupCreate --group GROUP --owner ACCOUNT <--algo ALGO --size SIZE [--encrypted]|--no-key>

.. program:: groupCreate


.. option:: --group NAME
.. option:: --group

Group name to create, NAME must contain only valid UNIX group name characters
Group name to create

.. option:: --owner ACCOUNT

Account to set as the group owner, this account will have complete rights to manage the group
.. option:: --owner

.. option:: --algo ALGO
Preexisting bastion account to assign as owner (can be you)

Specifies the algo of the key, usually either rsa, ecdsa or ed25519. Note that the available algorithms depend on the OS the bastion is running on, along with its configuration policies

.. option:: --size SIZE
.. option:: --encrypted

Specifies the size of the key to be generated.
For RSA, choose between 2048 and 8192 (any value above 4096 is probably not very useful).
For ECDSA, choose either 256, 384 or 521.
For ED25519, size is always 256.
Add a passphrase to the key. Beware that you'll have to enter it for each use.

.. option:: --encrypted
Do NOT add the passphrase after this option, you'll be prompted interactively for it.

.. option:: --algo

Specifies the algo of the key, either rsa, ecdsa or ed25519.

When specified, a passphrase will be prompted for the new key, and the private key will be stored encrypted on the bastion. Note that the passphrase will be required each time you want to use the key.
.. option:: --size

Specifies the size of the key to be generated.

For RSA, choose between 2048 and 8192 (4096 is good).
For ECDSA, choose either 256, 384 or 521.
For ED25519, size is always 256.

.. option:: --no-key

No egress key pair will be generated. In that case, omit ``--algo`` and ``--size``.
Don't generate an egress SSH key at all for this group


Algorithms guideline
====================
A quick overview of the different algorithms:

A quick overview of the different algorithms::
.. code-block:: none
+---------+------+-----------+---------+-----------------------------------------+
| algo | size | strength | speed | compatibility |
+=========+======+===========+=========+=========================================+
| DSA | any | 0 | n/a | obsolete, do not use |
| RSA | 2048 | ** | ** | works everywhere |
| RSA | 4096 | *** | * | works almost everywhere |
| ECDSA | 521 | **** | ***** | OpenSSH 5.7+ (debian 7+, ubuntu 12.04+) |
| ED25519 | 256 | ***** | ***** | OpenSSH 6.5+ (debian 8+, ubuntu 14.04+) |
+---------+------+-----------+---------+-----------------------------------------+
Ed25519 : robustness[###] speed[###]
ECDSA : robustness[##.] speed[###]
RSA : robustness[#..] speed[#..]
This table is meant as a quick cheat-sheet, you're warmly advised to do your own research, as other constraints may apply to your environment.
This table is meant as a quick cheat-sheet, you're warmly advised to do
your own research, as other constraints may apply to your environment.
4 changes: 2 additions & 2 deletions etc/bastion/bastion.conf.dist
Original file line number Diff line number Diff line change
@@ -55,12 +55,12 @@
# >> All the options related to the SSH configuration and policies, both for ingress and egress connections.
#
# allowedIngressSshAlgorithms (array of strings (algorithm names))
# DESC: The algorithms authorized for ingress ssh public keys added to this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``: unsupported algorithms are automatically omitted at runtime.
# DESC: The algorithms authorized for ingress ssh public keys added to this bastion. Possible values: ``rsa``, ``ecdsa``, ``ed25519``, ``ecdsa-sk``, ``ed25519-sk``, note that some of those might not be supported by your current version of ``OpenSSH``: unsupported algorithms are automatically omitted at runtime.
# DEFAULT: [ "rsa", "ecdsa", "ed25519" ]
"allowedIngressSshAlgorithms": [ "rsa", "ecdsa", "ed25519", "ecdsa-sk", "ed25519-sk" ],
#
# allowedEgressSshAlgorithms (array of strings (algorithm names))
# DESC: The algorithms authorized for egress ssh public keys generated on this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``, unsupported algorithms are automatically omitted at runtime.
# DESC: The algorithms authorized for egress ssh public keys generated on this bastion. Possible values: ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``, unsupported algorithms are automatically omitted at runtime.
# DEFAULT: [ "rsa", "ecdsa", "ed25519" ]
"allowedEgressSshAlgorithms": [ "rsa", "ecdsa", "ed25519" ],
#
40 changes: 0 additions & 40 deletions lib/perl/OVH/Bastion/Plugin/generateEgressKey.pm
Original file line number Diff line number Diff line change
@@ -9,46 +9,6 @@ use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw{ :DEFAULT };

sub help_algos {
require Term::ANSIColor;
my $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'egress');
my @algoList = @{$fnret->value};
my $algos = Term::ANSIColor::colored(uc join(' ', @algoList), 'green');

# when generating documentation, don't talk about "this" bastion, be generic
if ($ENV{'PLUGIN_DOCGEN'}) {
osh_info <<"EOF";
Note that the actually available algorithms on a bastion depend on the underlying OS and the configured policy.
A quick overview of the different algorithms::
EOF
}
else {
osh_info <<"EOF";
With the policy and SSH version on this bastion,
the following algorithms are supported: $algos.
A quick overview of the different algorithms:
EOF
}
osh_info <<"EOF";
+---------+------+----------+-------+-----------------------------------------+
| algo | size | strength | speed | compatibility |
+=========+======+==========+=======+=========================================+
| DSA | any | 0 | n/a | obsolete, do not use |
| RSA | 2048 | ** | ** | works everywhere |
| RSA | 4096 | *** | * | works almost everywhere |
| ECDSA | 521 | **** | ***** | OpenSSH 5.7+ (Debian 7+, Ubuntu 12.04+) |
| Ed25519 | 256 | ***** | ***** | OpenSSH 6.5+ (Debian 8+, Ubuntu 14.04+) |
+---------+------+----------+-------+-----------------------------------------+
This table is meant as a quick cheat-sheet, you're warmly advised to do
your own research, as other constraints may apply to your environment.
EOF
return 0;
}

sub ask_passphrase {
require Term::ReadKey;
print "Please enter a passphrase for the private key that'll stay on the bastion (not echoed): ";
66 changes: 55 additions & 11 deletions lib/perl/OVH/Bastion/ssh.inc
Original file line number Diff line number Diff line change
@@ -1050,29 +1050,73 @@ sub is_effective_piv_account_policy_enabled {

# Deduces from the bastion config what algorithms are accepted.
sub print_accepted_key_algorithms {
my %params = @_;
my $way = $params{'way'};
my %params = @_;
my $way = $params{'way'};
my $fido = ($params{'fido'} // 1);
my $generate = ($params{'generate'} // 1);
my $fnret;

my @algoList;
$fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => $way);
$fnret or return $fnret;
my @algoList = @{$fnret->value};
if (!$fnret && $ENV{'PLUGIN_DOCGEN'}) {
@algoList = qw{ rsa ecdsa ed25519 };
push @algoList, qw{ ecdsa-sk ed25519-sk } if ($way eq 'ingress');
}
elsif (!$fnret) {
return $fnret;
}
else {
@algoList = @{$fnret->value};
}

my ($X, $o) = qw{ # . };
if (OVH::Bastion::can_use_utf8() && OVH::Bastion::config('fanciness')->value eq 'full') {
$X = "\N{U+2713}";
$o = " ";
}

require POSIX;
my $bastionName = OVH::Bastion::config('bastionName')->value;
my $appName = "ssh:" . POSIX::strftime("%Y-%m-%d.", localtime()) . substr($bastionName, 0, 24);

my $hasFido = 0;

my $prefix = "";
osh_info("A quick overview of the different algorithms:");
if ($ENV{'PLUGIN_DOCGEN'}) {
$prefix = " ";
osh_info("\n.. code-block:: none\n");
}

if (grep { 'ed25519-sk' eq $_ } @algoList) {
osh_info "FIDO2 Ed25519: strongness[######] speed[#####], use `ssh-keygen -t ed25519-sk' to generate one";
if ($fido && grep { 'ed25519-sk' eq $_ } @algoList) {
osh_info("${prefix}FIDO2 Ed25519: robustness[$X$X$X] speed[$X$X$X]"
. ($generate ? ", generate: `ssh-keygen -t ed25519-sk -O resident -O application=$appName" : ""));
$hasFido = 1;
}
if (grep { 'ed25519' eq $_ } @algoList) {
osh_info "ED25519 : strongness[#####.] speed[#####], use `ssh-keygen -t ed25519' to generate one";
osh_info("${prefix}Ed25519 : robustness[$X$X$X] speed[$X$X$X]"
. ($generate ? ", generate: `ssh-keygen -t ed25519'" : ""));
}
if (grep { 'ecdsa-sk' eq $_ } @algoList) {
osh_info "FIDO2 ECDSA : strongness[#####.] speed[#####], use `ssh-keygen -t ecdsa-sk -b 521' to generate one";
if ($fido && grep { 'ecdsa-sk' eq $_ } @algoList) {
osh_info("${prefix}FIDO2 ECDSA : robustness[$X$X$o] speed[$X$X$X]"
. ($generate ? ", generate: `ssh-keygen -t ecdsa-sk -b 521 -O resident -O application=$appName" : ""));
$hasFido = 1;
}
if (grep { 'ecdsa' eq $_ } @algoList) {
osh_info "ECDSA : strongness[####..] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one";
osh_info("${prefix}ECDSA : robustness[$X$X$o] speed[$X$X$X]"
. ($generate ? ", generate: `ssh-keygen -t ecdsa -b 521'" : ""));
}
if (grep { 'rsa' eq $_ } @algoList) {
osh_info "RSA : strongness[###...] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one";
osh_info("${prefix}RSA : robustness[$X$o$o] speed[$X$o$o]"
. ($generate ? ", generate: `ssh-keygen -t rsa -b 4096'" : ""));
}

if ($hasFido) {
osh_info("\nNote that FIDO2 algorithms require a FIDO2-compatible hardware Security Key.");
}
osh_info("\nThis table is meant as a quick cheat-sheet, you're warmly advised to do");
osh_info("your own research, as other constraints may apply to your environment.");
return;
}

1;

0 comments on commit 3c9382a

Please sign in to comment.