From 6bad6dae434642905e4e33498eeef107b0ff73a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pierre-Elliott=20B=C3=A9cue?= Date: Mon, 25 Sep 2023 15:36:51 +0200 Subject: [PATCH] Factor out in a generic function the helper listing allowed ssh key algorithm --- bin/plugin/open/selfAddIngressKey | 21 +-------------------- bin/plugin/restricted/accountCreate | 14 +------------- lib/perl/OVH/Bastion.pm | 2 +- lib/perl/OVH/Bastion/ssh.inc | 28 ++++++++++++++++++++++++++++ 4 files changed, 31 insertions(+), 34 deletions(-) diff --git a/bin/plugin/open/selfAddIngressKey b/bin/plugin/open/selfAddIngressKey index 63f02345d..37d949b96 100755 --- a/bin/plugin/open/selfAddIngressKey +++ b/bin/plugin/open/selfAddIngressKey @@ -61,27 +61,8 @@ if (!OVH::Bastion::has_piv_helper()) { } if (not defined $pubKey) { - $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress'); - $fnret or osh_exit $fnret; - my @algoList = @{$fnret->value}; - my $algos = join(' ', @algoList); osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n"; - - if (grep { 'ed25519-sk' eq $_ } @algoList) { - osh_info "ED25519 Secure-Key: strongness[######] speed[#####], use `ssh-keygen -t ed25519-sk' to generate one"; - } - if (grep { 'ed25519' eq $_ } @algoList) { - osh_info "ED25519: strongness[#####.] speed[#####], use `ssh-keygen -t ed25519' to generate one"; - } - if (grep { 'ecdsa-sk' eq $_ } @algoList) { - osh_info "NIST-P Secure key: strongness[#####.] speed[#####], use `ssh-keygen -t ecdsa-sk -b 521' to generate one"; - } - if (grep { 'ecdsa' eq $_ } @algoList) { - osh_info "ECDSA : strongness[####..] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one"; - } - if (grep { 'rsa' eq $_ } @algoList) { - osh_info "RSA : strongness[###...] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one"; - } + OVH::Bastion::print_accepted_key_algorithms(way => "ingress"); osh_info "\nIn any case, don't save it without a passphrase."; if (OVH::Bastion::config('ingressKeysFromAllowOverride')->value) { diff --git a/bin/plugin/restricted/accountCreate b/bin/plugin/restricted/accountCreate index 8d5bc5a64..8b57af2b3 100755 --- a/bin/plugin/restricted/accountCreate +++ b/bin/plugin/restricted/accountCreate @@ -103,20 +103,8 @@ if (defined $maxInactiveDays && $maxInactiveDays < 0) { } if (!$pubKey && !$noKey) { - $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress'); - $fnret or osh_exit $fnret; - my @algoList = @{$fnret->value}; - my $algos = join(' ', @algoList); osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n"; - if (grep { 'ed25519' eq $_ } @algoList) { - osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one"; - } - if (grep { 'ecdsa' eq $_ } @algoList) { - osh_info "ECDSA : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one"; - } - if (grep { 'rsa' eq $_ } @algoList) { - osh_info "RSA : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one"; - } + OVH::Bastion::print_accepted_key_algorithms(way => "ingress"); osh_info "\nIn any case, don't save it without a passphrase (your paste won't be echoed)."; $pubKey = ; } diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm index ecb33bcc9..f41ed7a07 100644 --- a/lib/perl/OVH/Bastion.pm +++ b/lib/perl/OVH/Bastion.pm @@ -156,7 +156,7 @@ my %_autoload_files = ( ], password => [qw{ get_hashes_from_password get_password_file get_hashes_list is_valid_hash }], ssh => [ - qw{ has_piv_helper verify_piv get_authorized_keys_from_file add_key_to_authorized_keys_file put_authorized_keys_to_file get_ssh_pub_key_info is_valid_public_key get_from_for_user_key generate_ssh_key get_bastion_ips get_supported_ssh_algorithms_list is_allowed_algo_and_size is_valid_fingerprint print_public_key account_ssh_config_get account_ssh_config_set ssh_ingress_keys_piv_apply is_effective_piv_account_policy_enabled } + qw{ has_piv_helper verify_piv get_authorized_keys_from_file add_key_to_authorized_keys_file put_authorized_keys_to_file get_ssh_pub_key_info is_valid_public_key get_from_for_user_key generate_ssh_key get_bastion_ips get_supported_ssh_algorithms_list is_allowed_algo_and_size is_valid_fingerprint print_public_key account_ssh_config_get account_ssh_config_set ssh_ingress_keys_piv_apply is_effective_piv_account_policy_enabled print_accepted_key_algorithms } ], ); diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc index 42de94d5c..b78195d88 100644 --- a/lib/perl/OVH/Bastion/ssh.inc +++ b/lib/perl/OVH/Bastion/ssh.inc @@ -1048,4 +1048,32 @@ sub is_effective_piv_account_policy_enabled { : R('KO_DISABLED', msg => "inherits the globally disabled policy"); } +# Deduces from the bastion config what algorithms are accepted. +sub print_accepted_key_algorithms { + my %params = @_; + my $way = $params{'way'}; + my $fnret; + + $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => $way); + $fnret or osh_exit $fnret; + my @algoList = @{$fnret->value}; + my $algos = join(' ', @algoList); + + if (grep { 'ed25519-sk' eq $_ } @algoList) { + osh_info "FIDO2 Ed25519: strongness[######] speed[#####], use `ssh-keygen -t ed25519-sk' to generate one"; + } + if (grep { 'ed25519' eq $_ } @algoList) { + osh_info "ED25519 : strongness[#####.] speed[#####], use `ssh-keygen -t ed25519' to generate one"; + } + if (grep { 'ecdsa-sk' eq $_ } @algoList) { + osh_info "FIDO2 ECDSA : strongness[#####.] speed[#####], use `ssh-keygen -t ecdsa-sk -b 521' to generate one"; + } + if (grep { 'ecdsa' eq $_ } @algoList) { + osh_info "ECDSA : strongness[####..] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one"; + } + if (grep { 'rsa' eq $_ } @algoList) { + osh_info "RSA : strongness[###...] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one"; + } +} + 1;