enh: use print_accepted_key_algorithms everywhere

bin/plugin/group-owner/groupGenerateEgressKey

@@ -23,7 +23,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
 );
 
 sub help {
-    print <<"EOF";
+    osh_info <<"EOF";
 Create a new public + private key pair for a group
 
 Usage: --osh $scriptName --group GROUP --algo ALGO --size SIZE [--encrypted]
@@ -35,12 +35,12 @@ Usage: --osh $scriptName --group GROUP --algo ALGO --size SIZE [--encrypted]
   --size SIZE    Specifies the size of the key to be generated.
                    For RSA, choose between 2048 and 8192 (4096 is good).
                    For ECDSA, choose either 256, 384 or 521.
-                   For ED25519, size is always 256.
+                   For Ed25519, size is always 256.
 
   --encrypted    If specified, a passphrase will be prompted for the new key
 
 EOF
-    OVH::Bastion::Plugin::generateEgressKey::help_algos();
+    OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0);
     return 0;
 }
 

bin/plugin/open/selfAddIngressKey

@@ -61,9 +61,9 @@ if (!OVH::Bastion::has_piv_helper()) {
 }
 
 if (not defined $pubKey) {
-    osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
+    osh_info "Please paste the SSH key you want to add.";
     OVH::Bastion::print_accepted_key_algorithms(way => "ingress");
-    osh_info "\nIn any case, don't save it without a passphrase.";
+    osh_info "\nPlease ensure your private key is encrypted using a proper passphrase.";
 
     if (OVH::Bastion::config('ingressKeysFromAllowOverride')->value) {
         osh_info

bin/plugin/open/selfGenerateEgressKey

@@ -22,7 +22,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
 );
 
 sub help {
-    my $text = <<"EOF";
+    osh_info <<"EOF";
 Create a new public + private key pair on your bastion account
 
 Usage: --osh $scriptName --algo ALGO --size SIZE [--encrypted]
@@ -37,9 +37,8 @@ Usage: --osh $scriptName --algo ALGO --size SIZE [--encrypted]
   --encrypted  if specified, a passphrase will be prompted for the new key
 
 EOF
-    osh_info($text);
-    OVH::Bastion::Plugin::generateEgressKey::help_algos();
-    return 1;
+    OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0);
+    return 0;
 }
 
 #

bin/plugin/restricted/accountCreate

@@ -103,9 +103,9 @@ if (defined $maxInactiveDays && $maxInactiveDays < 0) {
 }
 
 if (!$pubKey && !$noKey) {
-    osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
+    osh_info "Please paste the SSH key you want to add.";
     OVH::Bastion::print_accepted_key_algorithms(way => "ingress");
-    osh_info "\nIn any case, don't save it without a passphrase (your paste won't be echoed).";
+    osh_info "\nPlease ensure your private key is encrypted using a proper passphrase (your paste won't be echoed).";
     $pubKey = <STDIN>;
 }
 

bin/plugin/restricted/groupCreate

@@ -26,46 +26,27 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
 );
 
 sub help {
-    require Term::ANSIColor;
-    my $fnret        = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'egress');
-    my @algoList     = @{$fnret->value};
-    my $algos        = Term::ANSIColor::colored(uc join(' ', @algoList), 'green');
-    my $helpAlgoSize = '--algo rsa --size 4096';
-    if (grep { $_ eq 'ecdsa' } @algoList) {
-        $helpAlgoSize = '--algo ecdsa --size 521';
-    }
-    if (grep { $_ eq 'ed25519' } @algoList) {
-        $helpAlgoSize = '--algo ed25519';
-    }
     osh_info <<"EOF";
-Usage       : --osh $scriptName --group GROUP --owner ACCOUNT $helpAlgoSize [--encrypted] [--no-key]
-Description : creates group GROUP on the bastion with ACCOUNT as the owner
-Params      :
+Create a group
+
+Usage: --osh $scriptName --group GROUP --owner ACCOUNT <--algo ALGO --size SIZE [--encrypted]|--no-key>
 
-    --group       Group name to create
+  --group       Group name to create
 
-    --owner       Preexisting bastion account to assign as owner (can be you)
+  --owner       Preexisting bastion account to assign as owner (can be you)
 
-    --encrypted   Add a passphrase to the key. Beware that you'll have to enter it for each use.
+  --encrypted   Add a passphrase to the key. Beware that you'll have to enter it for each use.
                   Do NOT add the passphrase after this option, you'll be prompted interactively for it.
 
-    --algo        Specifies the algo of the key, either rsa, ecdsa or ed25519.
-    --size        Specifies the size of the key to be generated.
+  --algo        Specifies the algo of the key, either rsa, ecdsa or ed25519.
+  --size        Specifies the size of the key to be generated.
                   For RSA, choose between 2048 and 8192 (4096 is good).
                   For ECDSA, choose either 256, 384 or 521.
                   For ED25519, size is always 256.
 
-    --no-key      Don't generate an egress SSH key at all for this group
-
-With the policy and SSH version on this bastion,
-the following algorithms are supported: $algos
-
-algo    size  strength   speed    compatibility
-------- ----  ---------- -------- -----------------------
-RSA     4096  good       slow     works everywhere
-ECDSA    521  strong     fast     debian7+ (OpenSSH 5.7+)
-ED25519  256  verystrong veryfast debian8+ (OpenSSH 6.5+)
+  --no-key      Don't generate an egress SSH key at all for this group
 EOF
+    OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0);
     return 0;
 }
 

bin/plugin/restricted/realmCreate

@@ -57,24 +57,17 @@ if ($fnret) {
 # TODO check $from
 
 if (!$pubKey) {
-    $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
-    $fnret or osh_exit $fnret;
-    my @algoList = @{$fnret->value};
-    my $algos    = join(' ', @algoList);
-    osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
-    if (grep { 'ed25519' eq $_ } @algoList) {
-        osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one";
-    }
-    if (grep { 'ecdsa' eq $_ } @algoList) {
-        osh_info "ECDSA  : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one";
-    }
-    if (grep { 'rsa' eq $_ } @algoList) {
-        osh_info "RSA    : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one";
-    }
-    osh_info
-      "\nThis should be the egress key of the group named 'realm' from the other side (your paste won't be echoed).";
+    osh_info("Please paste the SSH key you want to add, which should be the egress key ");
+    osh_info("of the group on the other side you want members to have access to this realm.");
+
+    osh_info("\nThis bastion supports the following algorithms:\n\n");
+
+    # don't display info about generating keys, as the public key is supposed to already exist
+    # skip fido algos as the key is supposed to be the egress key of another bastion
+    OVH::Bastion::print_accepted_key_algorithms(way => "ingress", fido => 0, generate => 0);
+
+    osh_info("\nNote that your paste won't be echoed:");
     $pubKey = <STDIN>;
-    ## use critic
 }
 
 $fnret = OVH::Bastion::is_valid_public_key(pubKey => $pubKey, way => 'ingress');

doc/sphinx/administration/configuration/bastion_conf.rst

@@ -218,7 +218,7 @@ allowedIngressSshAlgorithms
 
 :Default: ``[ "rsa", "ecdsa", "ed25519" ]``
 
-The algorithms authorized for ingress ssh public keys added to this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``: unsupported algorithms are automatically omitted at runtime.
+The algorithms authorized for ingress ssh public keys added to this bastion. Possible values: ``rsa``, ``ecdsa``, ``ed25519``, ``ecdsa-sk``, ``ed25519-sk``, note that some of those might not be supported by your current version of ``OpenSSH``: unsupported algorithms are automatically omitted at runtime.
 
 .. _allowedEgressSshAlgorithms:
 
@@ -229,7 +229,7 @@ allowedEgressSshAlgorithms
 
 :Default: ``[ "rsa", "ecdsa", "ed25519" ]``
 
-The algorithms authorized for egress ssh public keys generated on this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``, unsupported algorithms are automatically omitted at runtime.
+The algorithms authorized for egress ssh public keys generated on this bastion. Possible values: ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``, unsupported algorithms are automatically omitted at runtime.
 
 .. _minimumIngressRsaKeySize:
 

doc/sphinx/plugins/group-owner/groupGenerateEgressKey.rst

@@ -30,27 +30,21 @@ Create a new public + private key pair for a group
 
                    For RSA, choose between 2048 and 8192 (4096 is good).
                    For ECDSA, choose either 256, 384 or 521.
-                   For ED25519, size is always 256.
+                   For Ed25519, size is always 256.
 
 .. option:: --encrypted
 
    If specified, a passphrase will be prompted for the new key
 
 
-Note that the actually available algorithms on a bastion depend on the underlying OS and the configured policy.
 
-A quick overview of the different algorithms::
+A quick overview of the different algorithms:
 
+.. code-block:: none
 
-  +---------+------+----------+-------+-----------------------------------------+
-  | algo    | size | strength | speed | compatibility                           |
-  +=========+======+==========+=======+=========================================+
-  | DSA     |  any | 0        | n/a   | obsolete, do not use                    |
-  | RSA     | 2048 | **       | **    | works everywhere                        |
-  | RSA     | 4096 | ***      | *     | works almost everywhere                 |
-  | ECDSA   |  521 | ****     | ***** | OpenSSH 5.7+ (Debian 7+, Ubuntu 12.04+) |
-  | Ed25519 |  256 | *****    | ***** | OpenSSH 6.5+ (Debian 8+, Ubuntu 14.04+) |
-  +---------+------+----------+-------+-----------------------------------------+
+   Ed25519      : robustness[###] speed[###]
+   ECDSA        : robustness[##.] speed[###]
+   RSA          : robustness[#..] speed[#..]
 
 This table is meant as a quick cheat-sheet, you're warmly advised to do
 your own research, as other constraints may apply to your environment.

doc/sphinx/plugins/open/selfGenerateEgressKey.rst

@@ -2,46 +2,44 @@
 selfGenerateEgressKey
 ======================
 
-Create a new egress key pair on your account
-============================================
+Create a new public + private key pair on your bastion account
+==============================================================
 
 
 .. admonition:: usage
    :class: cmdusage
 
    --osh selfGenerateEgressKey --algo ALGO --size SIZE [--encrypted]
 
-.. program:: selfForgetHostKey
+.. program:: selfGenerateEgressKey
 
 
 .. option:: --algo ALGO
 
-   Specifies the algo of the key, usually either rsa, ecdsa or ed25519. Note that the available algorithms depend on the OS the bastion is running on, along with its configuration policies
+   Specifies the algo of the key, either rsa, ecdsa or ed25519.
+
 
 .. option:: --size SIZE
 
    Specifies the size of the key to be generated.
-   For RSA, choose between 2048 and 8192 (any value above 4096 is probably not very useful).
-   For ECDSA, choose either 256, 384 or 521.
-   For ED25519, size is always 256.
+
+               For RSA, choose between 2048 and 8192 (4096 is good).
+               For ECDSA, choose either 256, 384 or 521.
+               For ED25519, size is always 256.
 
 .. option:: --encrypted
 
-   When specified, a passphrase will be prompted for the new key, and the private key will be stored encrypted on the bastion. Note that the passphrase will be required each time you want to use the key.
+   if specified, a passphrase will be prompted for the new key
+
+
 
-Algorithms guideline
-====================
+A quick overview of the different algorithms:
 
-A quick overview of the different algorithms::
+.. code-block:: none
 
-  +---------+------+-----------+---------+-----------------------------------------+
-  | algo    | size | strength  | speed   | compatibility                           |
-  +=========+======+===========+=========+=========================================+
-  | DSA     |  any | 0         | n/a     | obsolete, do not use                    |
-  | RSA     | 2048 | **        | **      | works everywhere                        |
-  | RSA     | 4096 | ***       | *       | works almost everywhere                 |
-  | ECDSA   |  521 | ****      | *****   | OpenSSH 5.7+ (debian 7+, ubuntu 12.04+) |
-  | ED25519 |  256 | *****     | *****   | OpenSSH 6.5+ (debian 8+, ubuntu 14.04+) |
-  +---------+------+-----------+---------+-----------------------------------------+
+   Ed25519      : robustness[###] speed[###]
+   ECDSA        : robustness[##.] speed[###]
+   RSA          : robustness[#..] speed[#..]
 
-This table is meant as a quick cheat-sheet, you're warmly advised to do your own research, as other constraints may apply to your environment.
+This table is meant as a quick cheat-sheet, you're warmly advised to do
+your own research, as other constraints may apply to your environment.