Factor out in a generic function the helper listing allowed ssh key a…

…lgorithm
ovh · Mar 27, 2024 · 6bad6da · 6bad6da
1 parent db5113c
commit 6bad6da
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 34 deletions.
diff --git a/bin/plugin/open/selfAddIngressKey b/bin/plugin/open/selfAddIngressKey
@@ -61,27 +61,8 @@ if (!OVH::Bastion::has_piv_helper()) {
 }
 
 if (not defined $pubKey) {
-    $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
-    $fnret or osh_exit $fnret;
-    my @algoList = @{$fnret->value};
-    my $algos    = join(' ', @algoList);
     osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
-
-    if (grep { 'ed25519-sk' eq $_ } @algoList) {
-        osh_info "ED25519 Secure-Key: strongness[######] speed[#####], use `ssh-keygen -t ed25519-sk' to generate one";
-    }
-    if (grep { 'ed25519' eq $_ } @algoList) {
-        osh_info "ED25519: strongness[#####.] speed[#####], use `ssh-keygen -t ed25519' to generate one";
-    }
-    if (grep { 'ecdsa-sk' eq $_ } @algoList) {
-        osh_info "NIST-P Secure key: strongness[#####.] speed[#####], use `ssh-keygen -t ecdsa-sk -b 521' to generate one";
-    }
-    if (grep { 'ecdsa' eq $_ } @algoList) {
-        osh_info "ECDSA  : strongness[####..] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one";
-    }
-    if (grep { 'rsa' eq $_ } @algoList) {
-        osh_info "RSA    : strongness[###...] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one";
-    }
+    OVH::Bastion::print_accepted_key_algorithms(way => "ingress");
     osh_info "\nIn any case, don't save it without a passphrase.";
 
     if (OVH::Bastion::config('ingressKeysFromAllowOverride')->value) {

diff --git a/bin/plugin/restricted/accountCreate b/bin/plugin/restricted/accountCreate
@@ -103,20 +103,8 @@ if (defined $maxInactiveDays && $maxInactiveDays < 0) {
 }
 
 if (!$pubKey && !$noKey) {
-    $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
-    $fnret or osh_exit $fnret;
-    my @algoList = @{$fnret->value};
-    my $algos    = join(' ', @algoList);
     osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
-    if (grep { 'ed25519' eq $_ } @algoList) {
-        osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one";
-    }
-    if (grep { 'ecdsa' eq $_ } @algoList) {
-        osh_info "ECDSA  : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one";
-    }
-    if (grep { 'rsa' eq $_ } @algoList) {
-        osh_info "RSA    : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one";
-    }
+    OVH::Bastion::print_accepted_key_algorithms(way => "ingress");
     osh_info "\nIn any case, don't save it without a passphrase (your paste won't be echoed).";
     $pubKey = <STDIN>;
 }

diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm
@@ -156,7 +156,7 @@ my %_autoload_files = (
     ],
     password => [qw{ get_hashes_from_password get_password_file get_hashes_list is_valid_hash }],
     ssh      => [
-        qw{ has_piv_helper verify_piv get_authorized_keys_from_file add_key_to_authorized_keys_file put_authorized_keys_to_file get_ssh_pub_key_info is_valid_public_key get_from_for_user_key generate_ssh_key get_bastion_ips get_supported_ssh_algorithms_list is_allowed_algo_and_size is_valid_fingerprint print_public_key account_ssh_config_get account_ssh_config_set ssh_ingress_keys_piv_apply is_effective_piv_account_policy_enabled }
+        qw{ has_piv_helper verify_piv get_authorized_keys_from_file add_key_to_authorized_keys_file put_authorized_keys_to_file get_ssh_pub_key_info is_valid_public_key get_from_for_user_key generate_ssh_key get_bastion_ips get_supported_ssh_algorithms_list is_allowed_algo_and_size is_valid_fingerprint print_public_key account_ssh_config_get account_ssh_config_set ssh_ingress_keys_piv_apply is_effective_piv_account_policy_enabled print_accepted_key_algorithms }
     ],
 );
 

diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc
@@ -1048,4 +1048,32 @@ sub is_effective_piv_account_policy_enabled {
       : R('KO_DISABLED', msg => "inherits the globally disabled policy");
 }
 
+# Deduces from the bastion config what algorithms are accepted.
+sub print_accepted_key_algorithms {
+    my %params  = @_;
+    my $way = $params{'way'};
+    my $fnret;
+
+    $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => $way);
+    $fnret or osh_exit $fnret;
+    my @algoList = @{$fnret->value};
+    my $algos    = join(' ', @algoList);
+
+    if (grep { 'ed25519-sk' eq $_ } @algoList) {
+        osh_info "FIDO2 Ed25519: strongness[######] speed[#####], use `ssh-keygen -t ed25519-sk' to generate one";
+    }
+    if (grep { 'ed25519' eq $_ } @algoList) {
+        osh_info "ED25519      : strongness[#####.] speed[#####], use `ssh-keygen -t ed25519' to generate one";
+    }
+    if (grep { 'ecdsa-sk' eq $_ } @algoList) {
+        osh_info "FIDO2 ECDSA  : strongness[#####.] speed[#####], use `ssh-keygen -t ecdsa-sk -b 521' to generate one";
+    }
+    if (grep { 'ecdsa' eq $_ } @algoList) {
+        osh_info "ECDSA        : strongness[####..] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one";
+    }
+    if (grep { 'rsa' eq $_ } @algoList) {
+        osh_info "RSA          : strongness[###...] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one";
+    }
+}
+
 1;