From 0ed6ef837c1a94caf39875205384caede653d6e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pierre-Elliott=20B=C3=A9cue?= Date: Mon, 25 Sep 2023 15:36:39 +0200 Subject: [PATCH 1/8] Implement Ingress Secure Keys --- bin/plugin/open/selfAddIngressKey | 12 +++++++++--- etc/bastion/bastion.conf.dist | 2 +- lib/perl/OVH/Bastion/configuration.inc | 4 ++-- lib/perl/OVH/Bastion/ssh.inc | 8 +++++--- 4 files changed, 17 insertions(+), 9 deletions(-) diff --git a/bin/plugin/open/selfAddIngressKey b/bin/plugin/open/selfAddIngressKey index 41c7ab4c0..63f02345d 100755 --- a/bin/plugin/open/selfAddIngressKey +++ b/bin/plugin/open/selfAddIngressKey @@ -67,14 +67,20 @@ if (not defined $pubKey) { my $algos = join(' ', @algoList); osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n"; + if (grep { 'ed25519-sk' eq $_ } @algoList) { + osh_info "ED25519 Secure-Key: strongness[######] speed[#####], use `ssh-keygen -t ed25519-sk' to generate one"; + } if (grep { 'ed25519' eq $_ } @algoList) { - osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one"; + osh_info "ED25519: strongness[#####.] speed[#####], use `ssh-keygen -t ed25519' to generate one"; + } + if (grep { 'ecdsa-sk' eq $_ } @algoList) { + osh_info "NIST-P Secure key: strongness[#####.] speed[#####], use `ssh-keygen -t ecdsa-sk -b 521' to generate one"; } if (grep { 'ecdsa' eq $_ } @algoList) { - osh_info "ECDSA : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one"; + osh_info "ECDSA : strongness[####..] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one"; } if (grep { 'rsa' eq $_ } @algoList) { - osh_info "RSA : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one"; + osh_info "RSA : strongness[###...] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one"; } osh_info "\nIn any case, don't save it without a passphrase."; diff --git a/etc/bastion/bastion.conf.dist b/etc/bastion/bastion.conf.dist index ae7fd4bc7..14f836b91 100644 --- a/etc/bastion/bastion.conf.dist +++ b/etc/bastion/bastion.conf.dist @@ -57,7 +57,7 @@ # allowedIngressSshAlgorithms (array of strings (algorithm names)) # DESC: The algorithms authorized for ingress ssh public keys added to this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``: unsupported algorithms are automatically omitted at runtime. # DEFAULT: [ "rsa", "ecdsa", "ed25519" ] -"allowedIngressSshAlgorithms": [ "rsa", "ecdsa", "ed25519" ], +"allowedIngressSshAlgorithms": [ "rsa", "ecdsa", "ed25519", "ecdsa-sk", "ed25519-sk" ], # # allowedEgressSshAlgorithms (array of strings (algorithm names)) # DESC: The algorithms authorized for egress ssh public keys generated on this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``, unsupported algorithms are automatically omitted at runtime. diff --git a/lib/perl/OVH/Bastion/configuration.inc b/lib/perl/OVH/Bastion/configuration.inc index 53a2d9dc2..1382c9441 100644 --- a/lib/perl/OVH/Bastion/configuration.inc +++ b/lib/perl/OVH/Bastion/configuration.inc @@ -367,8 +367,8 @@ sub load_configuration { ## no critic(RegularExpressions::ProhibitFixedStringMatches) { name => 'allowedIngressSshAlgorithms', - default => [qw{ rsa ecdsa ed25519 }], - validre => qr/^(rsa|ecdsa|ed25519)$/ + default => [qw{ rsa ecdsa ed25519 edcsa-sk ed25519-sk }], + validre => qr/^(rsa|ecdsa|ed25519|ecdsa-sk|ed25519-sk)$/ }, ## no critic(RegularExpressions::ProhibitFixedStringMatches) { diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc index f99f6765a..e3d96a5bf 100644 --- a/lib/perl/OVH/Bastion/ssh.inc +++ b/lib/perl/OVH/Bastion/ssh.inc @@ -302,7 +302,7 @@ sub get_ssh_pub_key_info { my ($prefix, $typecode, $base64, $comment); if ($pubKey =~ - m{^\s*((\S+)\s+)?(ssh-dss|ssh-rsa|ecdsa-sha\d+-nistp\d+|ssh-ed\d+)\s+([a-zA-Z0-9/=+]+)(\s+(.{1,128})?)?$} + m{^\s*((\S+)\s+)?(ssh-dss|ssh-rsa|ecdsa-sha\d+-nistp\d+|ssh-ed\d+|sk-ssh-ed25519\@openssh.com|sk-ecdsa-sha2-nistp256\@openssh.com)\s+([a-zA-Z0-9/=+]+)(\s+(.{1,128})?)?$} && length($pubKey) <= 3000) { ($prefix, $typecode, $base64, $comment) = ($2, $3, $4, $6); @@ -360,7 +360,7 @@ sub get_ssh_pub_key_info { 256 SHA256:Yggd7VRRbbivxkdVwrdt0HpqKNylMK91nNIU+RxndTI john@doe (ED25519) =cut - if (defined $sshkeygen and $sshkeygen =~ /^(\d+)\s+(\S+)\s+(.+)\s+\(([A-Z0-9]+)\)$/) { + if (defined $sshkeygen and $sshkeygen =~ /^(\d+)\s+(\S+)\s+(.+)\s+\(([A-Z0-9-]+)\)$/) { my ($size, $fingerprint, $comment2, $family) = ($1, $2, $3, $4); $return{'size'} = $size + 0; $return{'fingerprint'} = $fingerprint; @@ -436,7 +436,7 @@ EOS $fnret->{'msg'} = "Unknown error (" . $fnret->msg . "), please report to your sysadmin."; } else { - if (not grep { $fnret->value->{'family'} eq $_ } qw{ RSA ECDSA ED25519 }) { + if (not grep { $fnret->value->{'family'} eq $_ } qw{ RSA ECDSA ED25519 ECDSA-SK ED25519-SK }) { $fnret->{'err'} = 'ERR_UNKNOWN_TYPE'; $fnret->{'msg'} = "Unknown family type (" . $fnret->value->{'family'} . "), please report to your sysadmin."; @@ -634,6 +634,8 @@ sub get_supported_ssh_algorithms_list { my $version = $1; push @supportedList, 'ecdsa' if ($version gt "5.7"); push @supportedList, 'ed25519' if ($version gt "6.5"); + push @supportedList, 'ecdsa-sk' if ($version gt "8.2"); + push @supportedList, 'ed25519-sk' if ($version gt "8.2"); @cached_runtime_list = @supportedList; last; } From db5113c8186b562edf7802fb873a7df4f2eb8fdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pierre-Elliott=20B=C3=A9cue?= Date: Mon, 25 Sep 2023 15:36:45 +0200 Subject: [PATCH 2/8] Escape dots in regex patterns for ssh algorithms MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Stéphane Lesimple --- lib/perl/OVH/Bastion/ssh.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc index e3d96a5bf..42de94d5c 100644 --- a/lib/perl/OVH/Bastion/ssh.inc +++ b/lib/perl/OVH/Bastion/ssh.inc @@ -302,7 +302,7 @@ sub get_ssh_pub_key_info { my ($prefix, $typecode, $base64, $comment); if ($pubKey =~ - m{^\s*((\S+)\s+)?(ssh-dss|ssh-rsa|ecdsa-sha\d+-nistp\d+|ssh-ed\d+|sk-ssh-ed25519\@openssh.com|sk-ecdsa-sha2-nistp256\@openssh.com)\s+([a-zA-Z0-9/=+]+)(\s+(.{1,128})?)?$} + m{^\s*((\S+)\s+)?(ssh-dss|ssh-rsa|ecdsa-sha\d+-nistp\d+|ssh-ed\d+|sk-ssh-ed25519\@openssh\.com|sk-ecdsa-sha2-nistp256\@openssh\.com)\s+([a-zA-Z0-9/=+]+)(\s+(.{1,128})?)?$} && length($pubKey) <= 3000) { ($prefix, $typecode, $base64, $comment) = ($2, $3, $4, $6); From 6bad6dae434642905e4e33498eeef107b0ff73a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pierre-Elliott=20B=C3=A9cue?= Date: Mon, 25 Sep 2023 15:36:51 +0200 Subject: [PATCH 3/8] Factor out in a generic function the helper listing allowed ssh key algorithm --- bin/plugin/open/selfAddIngressKey | 21 +-------------------- bin/plugin/restricted/accountCreate | 14 +------------- lib/perl/OVH/Bastion.pm | 2 +- lib/perl/OVH/Bastion/ssh.inc | 28 ++++++++++++++++++++++++++++ 4 files changed, 31 insertions(+), 34 deletions(-) diff --git a/bin/plugin/open/selfAddIngressKey b/bin/plugin/open/selfAddIngressKey index 63f02345d..37d949b96 100755 --- a/bin/plugin/open/selfAddIngressKey +++ b/bin/plugin/open/selfAddIngressKey @@ -61,27 +61,8 @@ if (!OVH::Bastion::has_piv_helper()) { } if (not defined $pubKey) { - $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress'); - $fnret or osh_exit $fnret; - my @algoList = @{$fnret->value}; - my $algos = join(' ', @algoList); osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n"; - - if (grep { 'ed25519-sk' eq $_ } @algoList) { - osh_info "ED25519 Secure-Key: strongness[######] speed[#####], use `ssh-keygen -t ed25519-sk' to generate one"; - } - if (grep { 'ed25519' eq $_ } @algoList) { - osh_info "ED25519: strongness[#####.] speed[#####], use `ssh-keygen -t ed25519' to generate one"; - } - if (grep { 'ecdsa-sk' eq $_ } @algoList) { - osh_info "NIST-P Secure key: strongness[#####.] speed[#####], use `ssh-keygen -t ecdsa-sk -b 521' to generate one"; - } - if (grep { 'ecdsa' eq $_ } @algoList) { - osh_info "ECDSA : strongness[####..] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one"; - } - if (grep { 'rsa' eq $_ } @algoList) { - osh_info "RSA : strongness[###...] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one"; - } + OVH::Bastion::print_accepted_key_algorithms(way => "ingress"); osh_info "\nIn any case, don't save it without a passphrase."; if (OVH::Bastion::config('ingressKeysFromAllowOverride')->value) { diff --git a/bin/plugin/restricted/accountCreate b/bin/plugin/restricted/accountCreate index 8d5bc5a64..8b57af2b3 100755 --- a/bin/plugin/restricted/accountCreate +++ b/bin/plugin/restricted/accountCreate @@ -103,20 +103,8 @@ if (defined $maxInactiveDays && $maxInactiveDays < 0) { } if (!$pubKey && !$noKey) { - $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress'); - $fnret or osh_exit $fnret; - my @algoList = @{$fnret->value}; - my $algos = join(' ', @algoList); osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n"; - if (grep { 'ed25519' eq $_ } @algoList) { - osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one"; - } - if (grep { 'ecdsa' eq $_ } @algoList) { - osh_info "ECDSA : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one"; - } - if (grep { 'rsa' eq $_ } @algoList) { - osh_info "RSA : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one"; - } + OVH::Bastion::print_accepted_key_algorithms(way => "ingress"); osh_info "\nIn any case, don't save it without a passphrase (your paste won't be echoed)."; $pubKey = ; } diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm index ecb33bcc9..f41ed7a07 100644 --- a/lib/perl/OVH/Bastion.pm +++ b/lib/perl/OVH/Bastion.pm @@ -156,7 +156,7 @@ my %_autoload_files = ( ], password => [qw{ get_hashes_from_password get_password_file get_hashes_list is_valid_hash }], ssh => [ - qw{ has_piv_helper verify_piv get_authorized_keys_from_file add_key_to_authorized_keys_file put_authorized_keys_to_file get_ssh_pub_key_info is_valid_public_key get_from_for_user_key generate_ssh_key get_bastion_ips get_supported_ssh_algorithms_list is_allowed_algo_and_size is_valid_fingerprint print_public_key account_ssh_config_get account_ssh_config_set ssh_ingress_keys_piv_apply is_effective_piv_account_policy_enabled } + qw{ has_piv_helper verify_piv get_authorized_keys_from_file add_key_to_authorized_keys_file put_authorized_keys_to_file get_ssh_pub_key_info is_valid_public_key get_from_for_user_key generate_ssh_key get_bastion_ips get_supported_ssh_algorithms_list is_allowed_algo_and_size is_valid_fingerprint print_public_key account_ssh_config_get account_ssh_config_set ssh_ingress_keys_piv_apply is_effective_piv_account_policy_enabled print_accepted_key_algorithms } ], ); diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc index 42de94d5c..b78195d88 100644 --- a/lib/perl/OVH/Bastion/ssh.inc +++ b/lib/perl/OVH/Bastion/ssh.inc @@ -1048,4 +1048,32 @@ sub is_effective_piv_account_policy_enabled { : R('KO_DISABLED', msg => "inherits the globally disabled policy"); } +# Deduces from the bastion config what algorithms are accepted. +sub print_accepted_key_algorithms { + my %params = @_; + my $way = $params{'way'}; + my $fnret; + + $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => $way); + $fnret or osh_exit $fnret; + my @algoList = @{$fnret->value}; + my $algos = join(' ', @algoList); + + if (grep { 'ed25519-sk' eq $_ } @algoList) { + osh_info "FIDO2 Ed25519: strongness[######] speed[#####], use `ssh-keygen -t ed25519-sk' to generate one"; + } + if (grep { 'ed25519' eq $_ } @algoList) { + osh_info "ED25519 : strongness[#####.] speed[#####], use `ssh-keygen -t ed25519' to generate one"; + } + if (grep { 'ecdsa-sk' eq $_ } @algoList) { + osh_info "FIDO2 ECDSA : strongness[#####.] speed[#####], use `ssh-keygen -t ecdsa-sk -b 521' to generate one"; + } + if (grep { 'ecdsa' eq $_ } @algoList) { + osh_info "ECDSA : strongness[####..] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one"; + } + if (grep { 'rsa' eq $_ } @algoList) { + osh_info "RSA : strongness[###...] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one"; + } +} + 1; From 065e14dedba6bfe2641cd1a1bb390fcc1d88ae1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pierre-Elliott=20B=C3=A9cue?= Date: Mon, 25 Sep 2023 17:58:32 +0200 Subject: [PATCH 4/8] Drop an unused variable in print_accepted_key_algorithms --- lib/perl/OVH/Bastion/ssh.inc | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc index b78195d88..bbd1829cd 100644 --- a/lib/perl/OVH/Bastion/ssh.inc +++ b/lib/perl/OVH/Bastion/ssh.inc @@ -1057,7 +1057,6 @@ sub print_accepted_key_algorithms { $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => $way); $fnret or osh_exit $fnret; my @algoList = @{$fnret->value}; - my $algos = join(' ', @algoList); if (grep { 'ed25519-sk' eq $_ } @algoList) { osh_info "FIDO2 Ed25519: strongness[######] speed[#####], use `ssh-keygen -t ed25519-sk' to generate one"; From ee2869b642abd0fe93cc27eb82df1810e5e9e755 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Wed, 27 Mar 2024 14:32:10 +0000 Subject: [PATCH 5/8] chore: perltidy --- lib/perl/OVH/Bastion/ssh.inc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc index bbd1829cd..54d8dad56 100644 --- a/lib/perl/OVH/Bastion/ssh.inc +++ b/lib/perl/OVH/Bastion/ssh.inc @@ -632,9 +632,9 @@ sub get_supported_ssh_algorithms_list { foreach (@{$fnret->value->{'stdout'} || []}, @{$fnret->value->{'stderr'} || []}) { if (/OpenSSH_(\d+\.\d+)/) { my $version = $1; - push @supportedList, 'ecdsa' if ($version gt "5.7"); - push @supportedList, 'ed25519' if ($version gt "6.5"); - push @supportedList, 'ecdsa-sk' if ($version gt "8.2"); + push @supportedList, 'ecdsa' if ($version gt "5.7"); + push @supportedList, 'ed25519' if ($version gt "6.5"); + push @supportedList, 'ecdsa-sk' if ($version gt "8.2"); push @supportedList, 'ed25519-sk' if ($version gt "8.2"); @cached_runtime_list = @supportedList; last; @@ -1050,12 +1050,12 @@ sub is_effective_piv_account_policy_enabled { # Deduces from the bastion config what algorithms are accepted. sub print_accepted_key_algorithms { - my %params = @_; - my $way = $params{'way'}; + my %params = @_; + my $way = $params{'way'}; my $fnret; $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => $way); - $fnret or osh_exit $fnret; + $fnret or return $fnret; my @algoList = @{$fnret->value}; if (grep { 'ed25519-sk' eq $_ } @algoList) { From 7659ab2f38aa05959c7fac5d0f0dd4790452ae0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Wed, 27 Mar 2024 15:58:59 +0000 Subject: [PATCH 6/8] enh: use print_accepted_key_algorithms everywhere --- bin/plugin/group-owner/groupGenerateEgressKey | 6 +- bin/plugin/open/selfAddIngressKey | 4 +- bin/plugin/open/selfGenerateEgressKey | 7 +- bin/plugin/restricted/accountCreate | 4 +- bin/plugin/restricted/groupCreate | 39 +++-------- bin/plugin/restricted/realmCreate | 27 +++----- .../groupCreate.override.rst | 55 ---------------- .../selfGenerateEgressKey.override.rst | 43 ------------ .../configuration/bastion_conf.rst | 4 +- .../group-owner/groupGenerateEgressKey.rst | 18 ++--- .../plugins/open/selfGenerateEgressKey.rst | 40 ++++++----- doc/sphinx/plugins/restricted/groupCreate.rst | 60 ++++++++--------- etc/bastion/bastion.conf.dist | 4 +- .../OVH/Bastion/Plugin/generateEgressKey.pm | 40 ----------- lib/perl/OVH/Bastion/ssh.inc | 66 +++++++++++++++---- 15 files changed, 144 insertions(+), 273 deletions(-) delete mode 100644 doc/sphinx-plugins-override/groupCreate.override.rst delete mode 100644 doc/sphinx-plugins-override/selfGenerateEgressKey.override.rst diff --git a/bin/plugin/group-owner/groupGenerateEgressKey b/bin/plugin/group-owner/groupGenerateEgressKey index 6e2c9c146..3041edcc6 100755 --- a/bin/plugin/group-owner/groupGenerateEgressKey +++ b/bin/plugin/group-owner/groupGenerateEgressKey @@ -23,7 +23,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin( ); sub help { - print <<"EOF"; + osh_info <<"EOF"; Create a new public + private key pair for a group Usage: --osh $scriptName --group GROUP --algo ALGO --size SIZE [--encrypted] @@ -35,12 +35,12 @@ Usage: --osh $scriptName --group GROUP --algo ALGO --size SIZE [--encrypted] --size SIZE Specifies the size of the key to be generated. For RSA, choose between 2048 and 8192 (4096 is good). For ECDSA, choose either 256, 384 or 521. - For ED25519, size is always 256. + For Ed25519, size is always 256. --encrypted If specified, a passphrase will be prompted for the new key EOF - OVH::Bastion::Plugin::generateEgressKey::help_algos(); + OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0); return 0; } diff --git a/bin/plugin/open/selfAddIngressKey b/bin/plugin/open/selfAddIngressKey index 37d949b96..19654c47f 100755 --- a/bin/plugin/open/selfAddIngressKey +++ b/bin/plugin/open/selfAddIngressKey @@ -61,9 +61,9 @@ if (!OVH::Bastion::has_piv_helper()) { } if (not defined $pubKey) { - osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n"; + osh_info "Please paste the SSH key you want to add."; OVH::Bastion::print_accepted_key_algorithms(way => "ingress"); - osh_info "\nIn any case, don't save it without a passphrase."; + osh_info "\nPlease ensure your private key is encrypted using a proper passphrase."; if (OVH::Bastion::config('ingressKeysFromAllowOverride')->value) { osh_info diff --git a/bin/plugin/open/selfGenerateEgressKey b/bin/plugin/open/selfGenerateEgressKey index 2225e7a5c..c538ab902 100755 --- a/bin/plugin/open/selfGenerateEgressKey +++ b/bin/plugin/open/selfGenerateEgressKey @@ -22,7 +22,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin( ); sub help { - my $text = <<"EOF"; + osh_info <<"EOF"; Create a new public + private key pair on your bastion account Usage: --osh $scriptName --algo ALGO --size SIZE [--encrypted] @@ -37,9 +37,8 @@ Usage: --osh $scriptName --algo ALGO --size SIZE [--encrypted] --encrypted if specified, a passphrase will be prompted for the new key EOF - osh_info($text); - OVH::Bastion::Plugin::generateEgressKey::help_algos(); - return 1; + OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0); + return 0; } # diff --git a/bin/plugin/restricted/accountCreate b/bin/plugin/restricted/accountCreate index 8b57af2b3..3a2865f86 100755 --- a/bin/plugin/restricted/accountCreate +++ b/bin/plugin/restricted/accountCreate @@ -103,9 +103,9 @@ if (defined $maxInactiveDays && $maxInactiveDays < 0) { } if (!$pubKey && !$noKey) { - osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n"; + osh_info "Please paste the SSH key you want to add."; OVH::Bastion::print_accepted_key_algorithms(way => "ingress"); - osh_info "\nIn any case, don't save it without a passphrase (your paste won't be echoed)."; + osh_info "\nPlease ensure your private key is encrypted using a proper passphrase (your paste won't be echoed)."; $pubKey = ; } diff --git a/bin/plugin/restricted/groupCreate b/bin/plugin/restricted/groupCreate index 56b7bd03a..7e4dffa2f 100755 --- a/bin/plugin/restricted/groupCreate +++ b/bin/plugin/restricted/groupCreate @@ -26,46 +26,27 @@ my $remainingOptions = OVH::Bastion::Plugin::begin( ); sub help { - require Term::ANSIColor; - my $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'egress'); - my @algoList = @{$fnret->value}; - my $algos = Term::ANSIColor::colored(uc join(' ', @algoList), 'green'); - my $helpAlgoSize = '--algo rsa --size 4096'; - if (grep { $_ eq 'ecdsa' } @algoList) { - $helpAlgoSize = '--algo ecdsa --size 521'; - } - if (grep { $_ eq 'ed25519' } @algoList) { - $helpAlgoSize = '--algo ed25519'; - } osh_info <<"EOF"; -Usage : --osh $scriptName --group GROUP --owner ACCOUNT $helpAlgoSize [--encrypted] [--no-key] -Description : creates group GROUP on the bastion with ACCOUNT as the owner -Params : +Create a group + +Usage: --osh $scriptName --group GROUP --owner ACCOUNT <--algo ALGO --size SIZE [--encrypted]|--no-key> - --group Group name to create + --group Group name to create - --owner Preexisting bastion account to assign as owner (can be you) + --owner Preexisting bastion account to assign as owner (can be you) - --encrypted Add a passphrase to the key. Beware that you'll have to enter it for each use. + --encrypted Add a passphrase to the key. Beware that you'll have to enter it for each use. Do NOT add the passphrase after this option, you'll be prompted interactively for it. - --algo Specifies the algo of the key, either rsa, ecdsa or ed25519. - --size Specifies the size of the key to be generated. + --algo Specifies the algo of the key, either rsa, ecdsa or ed25519. + --size Specifies the size of the key to be generated. For RSA, choose between 2048 and 8192 (4096 is good). For ECDSA, choose either 256, 384 or 521. For ED25519, size is always 256. - --no-key Don't generate an egress SSH key at all for this group - -With the policy and SSH version on this bastion, -the following algorithms are supported: $algos - -algo size strength speed compatibility -------- ---- ---------- -------- ----------------------- -RSA 4096 good slow works everywhere -ECDSA 521 strong fast debian7+ (OpenSSH 5.7+) -ED25519 256 verystrong veryfast debian8+ (OpenSSH 6.5+) + --no-key Don't generate an egress SSH key at all for this group EOF + OVH::Bastion::print_accepted_key_algorithms(way => "egress", generate => 0); return 0; } diff --git a/bin/plugin/restricted/realmCreate b/bin/plugin/restricted/realmCreate index 537a07b1a..b0ca611d8 100755 --- a/bin/plugin/restricted/realmCreate +++ b/bin/plugin/restricted/realmCreate @@ -57,24 +57,17 @@ if ($fnret) { # TODO check $from if (!$pubKey) { - $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress'); - $fnret or osh_exit $fnret; - my @algoList = @{$fnret->value}; - my $algos = join(' ', @algoList); - osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n"; - if (grep { 'ed25519' eq $_ } @algoList) { - osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one"; - } - if (grep { 'ecdsa' eq $_ } @algoList) { - osh_info "ECDSA : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one"; - } - if (grep { 'rsa' eq $_ } @algoList) { - osh_info "RSA : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one"; - } - osh_info - "\nThis should be the egress key of the group named 'realm' from the other side (your paste won't be echoed)."; + osh_info("Please paste the SSH key you want to add, which should be the egress key "); + osh_info("of the group on the other side you want members to have access to this realm."); + + osh_info("\nThis bastion supports the following algorithms:\n\n"); + + # don't display info about generating keys, as the public key is supposed to already exist + # skip fido algos as the key is supposed to be the egress key of another bastion + OVH::Bastion::print_accepted_key_algorithms(way => "ingress", fido => 0, generate => 0); + + osh_info("\nNote that your paste won't be echoed:"); $pubKey = ; - ## use critic } $fnret = OVH::Bastion::is_valid_public_key(pubKey => $pubKey, way => 'ingress'); diff --git a/doc/sphinx-plugins-override/groupCreate.override.rst b/doc/sphinx-plugins-override/groupCreate.override.rst deleted file mode 100644 index 107db8f37..000000000 --- a/doc/sphinx-plugins-override/groupCreate.override.rst +++ /dev/null @@ -1,55 +0,0 @@ -Create a new bastion group -========================== - - -.. admonition:: usage - :class: cmdusage - - --osh groupCreate --group NAME --owner ACCOUNT --algo ALGO --size SIZE [OPTIONS] - -.. program:: groupCreate - - -.. option:: --group NAME - - Group name to create, NAME must contain only valid UNIX group name characters - -.. option:: --owner ACCOUNT - - Account to set as the group owner, this account will have complete rights to manage the group - -.. option:: --algo ALGO - - Specifies the algo of the key, usually either rsa, ecdsa or ed25519. Note that the available algorithms depend on the OS the bastion is running on, along with its configuration policies - -.. option:: --size SIZE - - Specifies the size of the key to be generated. - For RSA, choose between 2048 and 8192 (any value above 4096 is probably not very useful). - For ECDSA, choose either 256, 384 or 521. - For ED25519, size is always 256. - -.. option:: --encrypted - - When specified, a passphrase will be prompted for the new key, and the private key will be stored encrypted on the bastion. Note that the passphrase will be required each time you want to use the key. - -.. option:: --no-key - - No egress key pair will be generated. In that case, omit ``--algo`` and ``--size``. - -Algorithms guideline -==================== - -A quick overview of the different algorithms:: - - +---------+------+-----------+---------+-----------------------------------------+ - | algo | size | strength | speed | compatibility | - +=========+======+===========+=========+=========================================+ - | DSA | any | 0 | n/a | obsolete, do not use | - | RSA | 2048 | ** | ** | works everywhere | - | RSA | 4096 | *** | * | works almost everywhere | - | ECDSA | 521 | **** | ***** | OpenSSH 5.7+ (debian 7+, ubuntu 12.04+) | - | ED25519 | 256 | ***** | ***** | OpenSSH 6.5+ (debian 8+, ubuntu 14.04+) | - +---------+------+-----------+---------+-----------------------------------------+ - -This table is meant as a quick cheat-sheet, you're warmly advised to do your own research, as other constraints may apply to your environment. diff --git a/doc/sphinx-plugins-override/selfGenerateEgressKey.override.rst b/doc/sphinx-plugins-override/selfGenerateEgressKey.override.rst deleted file mode 100644 index 85f3c1d6d..000000000 --- a/doc/sphinx-plugins-override/selfGenerateEgressKey.override.rst +++ /dev/null @@ -1,43 +0,0 @@ -Create a new egress key pair on your account -============================================ - - -.. admonition:: usage - :class: cmdusage - - --osh selfGenerateEgressKey --algo ALGO --size SIZE [--encrypted] - -.. program:: selfForgetHostKey - - -.. option:: --algo ALGO - - Specifies the algo of the key, usually either rsa, ecdsa or ed25519. Note that the available algorithms depend on the OS the bastion is running on, along with its configuration policies - -.. option:: --size SIZE - - Specifies the size of the key to be generated. - For RSA, choose between 2048 and 8192 (any value above 4096 is probably not very useful). - For ECDSA, choose either 256, 384 or 521. - For ED25519, size is always 256. - -.. option:: --encrypted - - When specified, a passphrase will be prompted for the new key, and the private key will be stored encrypted on the bastion. Note that the passphrase will be required each time you want to use the key. - -Algorithms guideline -==================== - -A quick overview of the different algorithms:: - - +---------+------+-----------+---------+-----------------------------------------+ - | algo | size | strength | speed | compatibility | - +=========+======+===========+=========+=========================================+ - | DSA | any | 0 | n/a | obsolete, do not use | - | RSA | 2048 | ** | ** | works everywhere | - | RSA | 4096 | *** | * | works almost everywhere | - | ECDSA | 521 | **** | ***** | OpenSSH 5.7+ (debian 7+, ubuntu 12.04+) | - | ED25519 | 256 | ***** | ***** | OpenSSH 6.5+ (debian 8+, ubuntu 14.04+) | - +---------+------+-----------+---------+-----------------------------------------+ - -This table is meant as a quick cheat-sheet, you're warmly advised to do your own research, as other constraints may apply to your environment. diff --git a/doc/sphinx/administration/configuration/bastion_conf.rst b/doc/sphinx/administration/configuration/bastion_conf.rst index 08bd11c7d..c1bc1550d 100644 --- a/doc/sphinx/administration/configuration/bastion_conf.rst +++ b/doc/sphinx/administration/configuration/bastion_conf.rst @@ -218,7 +218,7 @@ allowedIngressSshAlgorithms :Default: ``[ "rsa", "ecdsa", "ed25519" ]`` -The algorithms authorized for ingress ssh public keys added to this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``: unsupported algorithms are automatically omitted at runtime. +The algorithms authorized for ingress ssh public keys added to this bastion. Possible values: ``rsa``, ``ecdsa``, ``ed25519``, ``ecdsa-sk``, ``ed25519-sk``, note that some of those might not be supported by your current version of ``OpenSSH``: unsupported algorithms are automatically omitted at runtime. .. _allowedEgressSshAlgorithms: @@ -229,7 +229,7 @@ allowedEgressSshAlgorithms :Default: ``[ "rsa", "ecdsa", "ed25519" ]`` -The algorithms authorized for egress ssh public keys generated on this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``, unsupported algorithms are automatically omitted at runtime. +The algorithms authorized for egress ssh public keys generated on this bastion. Possible values: ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``, unsupported algorithms are automatically omitted at runtime. .. _minimumIngressRsaKeySize: diff --git a/doc/sphinx/plugins/group-owner/groupGenerateEgressKey.rst b/doc/sphinx/plugins/group-owner/groupGenerateEgressKey.rst index 217427b77..2b803e45c 100644 --- a/doc/sphinx/plugins/group-owner/groupGenerateEgressKey.rst +++ b/doc/sphinx/plugins/group-owner/groupGenerateEgressKey.rst @@ -30,27 +30,21 @@ Create a new public + private key pair for a group For RSA, choose between 2048 and 8192 (4096 is good). For ECDSA, choose either 256, 384 or 521. - For ED25519, size is always 256. + For Ed25519, size is always 256. .. option:: --encrypted If specified, a passphrase will be prompted for the new key -Note that the actually available algorithms on a bastion depend on the underlying OS and the configured policy. -A quick overview of the different algorithms:: +A quick overview of the different algorithms: +.. code-block:: none - +---------+------+----------+-------+-----------------------------------------+ - | algo | size | strength | speed | compatibility | - +=========+======+==========+=======+=========================================+ - | DSA | any | 0 | n/a | obsolete, do not use | - | RSA | 2048 | ** | ** | works everywhere | - | RSA | 4096 | *** | * | works almost everywhere | - | ECDSA | 521 | **** | ***** | OpenSSH 5.7+ (Debian 7+, Ubuntu 12.04+) | - | Ed25519 | 256 | ***** | ***** | OpenSSH 6.5+ (Debian 8+, Ubuntu 14.04+) | - +---------+------+----------+-------+-----------------------------------------+ + Ed25519 : robustness[###] speed[###] + ECDSA : robustness[##.] speed[###] + RSA : robustness[#..] speed[#..] This table is meant as a quick cheat-sheet, you're warmly advised to do your own research, as other constraints may apply to your environment. diff --git a/doc/sphinx/plugins/open/selfGenerateEgressKey.rst b/doc/sphinx/plugins/open/selfGenerateEgressKey.rst index 33a82f9a3..2c9c2ae82 100644 --- a/doc/sphinx/plugins/open/selfGenerateEgressKey.rst +++ b/doc/sphinx/plugins/open/selfGenerateEgressKey.rst @@ -2,8 +2,8 @@ selfGenerateEgressKey ====================== -Create a new egress key pair on your account -============================================ +Create a new public + private key pair on your bastion account +============================================================== .. admonition:: usage @@ -11,37 +11,35 @@ Create a new egress key pair on your account --osh selfGenerateEgressKey --algo ALGO --size SIZE [--encrypted] -.. program:: selfForgetHostKey +.. program:: selfGenerateEgressKey .. option:: --algo ALGO - Specifies the algo of the key, usually either rsa, ecdsa or ed25519. Note that the available algorithms depend on the OS the bastion is running on, along with its configuration policies + Specifies the algo of the key, either rsa, ecdsa or ed25519. + .. option:: --size SIZE Specifies the size of the key to be generated. - For RSA, choose between 2048 and 8192 (any value above 4096 is probably not very useful). - For ECDSA, choose either 256, 384 or 521. - For ED25519, size is always 256. + + For RSA, choose between 2048 and 8192 (4096 is good). + For ECDSA, choose either 256, 384 or 521. + For ED25519, size is always 256. .. option:: --encrypted - When specified, a passphrase will be prompted for the new key, and the private key will be stored encrypted on the bastion. Note that the passphrase will be required each time you want to use the key. + if specified, a passphrase will be prompted for the new key + + -Algorithms guideline -==================== +A quick overview of the different algorithms: -A quick overview of the different algorithms:: +.. code-block:: none - +---------+------+-----------+---------+-----------------------------------------+ - | algo | size | strength | speed | compatibility | - +=========+======+===========+=========+=========================================+ - | DSA | any | 0 | n/a | obsolete, do not use | - | RSA | 2048 | ** | ** | works everywhere | - | RSA | 4096 | *** | * | works almost everywhere | - | ECDSA | 521 | **** | ***** | OpenSSH 5.7+ (debian 7+, ubuntu 12.04+) | - | ED25519 | 256 | ***** | ***** | OpenSSH 6.5+ (debian 8+, ubuntu 14.04+) | - +---------+------+-----------+---------+-----------------------------------------+ + Ed25519 : robustness[###] speed[###] + ECDSA : robustness[##.] speed[###] + RSA : robustness[#..] speed[#..] -This table is meant as a quick cheat-sheet, you're warmly advised to do your own research, as other constraints may apply to your environment. +This table is meant as a quick cheat-sheet, you're warmly advised to do +your own research, as other constraints may apply to your environment. diff --git a/doc/sphinx/plugins/restricted/groupCreate.rst b/doc/sphinx/plugins/restricted/groupCreate.rst index d9e1a3c51..7d4f05fb6 100644 --- a/doc/sphinx/plugins/restricted/groupCreate.rst +++ b/doc/sphinx/plugins/restricted/groupCreate.rst @@ -2,58 +2,58 @@ groupCreate ============ -Create a new bastion group -========================== +Create a group +============== .. admonition:: usage :class: cmdusage - --osh groupCreate --group NAME --owner ACCOUNT --algo ALGO --size SIZE [OPTIONS] + --osh groupCreate --group GROUP --owner ACCOUNT <--algo ALGO --size SIZE [--encrypted]|--no-key> .. program:: groupCreate -.. option:: --group NAME +.. option:: --group - Group name to create, NAME must contain only valid UNIX group name characters + Group name to create -.. option:: --owner ACCOUNT - Account to set as the group owner, this account will have complete rights to manage the group +.. option:: --owner -.. option:: --algo ALGO + Preexisting bastion account to assign as owner (can be you) - Specifies the algo of the key, usually either rsa, ecdsa or ed25519. Note that the available algorithms depend on the OS the bastion is running on, along with its configuration policies -.. option:: --size SIZE +.. option:: --encrypted - Specifies the size of the key to be generated. - For RSA, choose between 2048 and 8192 (any value above 4096 is probably not very useful). - For ECDSA, choose either 256, 384 or 521. - For ED25519, size is always 256. + Add a passphrase to the key. Beware that you'll have to enter it for each use. -.. option:: --encrypted + Do NOT add the passphrase after this option, you'll be prompted interactively for it. + +.. option:: --algo + + Specifies the algo of the key, either rsa, ecdsa or ed25519. - When specified, a passphrase will be prompted for the new key, and the private key will be stored encrypted on the bastion. Note that the passphrase will be required each time you want to use the key. +.. option:: --size + + Specifies the size of the key to be generated. + + For RSA, choose between 2048 and 8192 (4096 is good). + For ECDSA, choose either 256, 384 or 521. + For ED25519, size is always 256. .. option:: --no-key - No egress key pair will be generated. In that case, omit ``--algo`` and ``--size``. + Don't generate an egress SSH key at all for this group + -Algorithms guideline -==================== +A quick overview of the different algorithms: -A quick overview of the different algorithms:: +.. code-block:: none - +---------+------+-----------+---------+-----------------------------------------+ - | algo | size | strength | speed | compatibility | - +=========+======+===========+=========+=========================================+ - | DSA | any | 0 | n/a | obsolete, do not use | - | RSA | 2048 | ** | ** | works everywhere | - | RSA | 4096 | *** | * | works almost everywhere | - | ECDSA | 521 | **** | ***** | OpenSSH 5.7+ (debian 7+, ubuntu 12.04+) | - | ED25519 | 256 | ***** | ***** | OpenSSH 6.5+ (debian 8+, ubuntu 14.04+) | - +---------+------+-----------+---------+-----------------------------------------+ + Ed25519 : robustness[###] speed[###] + ECDSA : robustness[##.] speed[###] + RSA : robustness[#..] speed[#..] -This table is meant as a quick cheat-sheet, you're warmly advised to do your own research, as other constraints may apply to your environment. +This table is meant as a quick cheat-sheet, you're warmly advised to do +your own research, as other constraints may apply to your environment. diff --git a/etc/bastion/bastion.conf.dist b/etc/bastion/bastion.conf.dist index 14f836b91..b16f7af13 100644 --- a/etc/bastion/bastion.conf.dist +++ b/etc/bastion/bastion.conf.dist @@ -55,12 +55,12 @@ # >> All the options related to the SSH configuration and policies, both for ingress and egress connections. # # allowedIngressSshAlgorithms (array of strings (algorithm names)) -# DESC: The algorithms authorized for ingress ssh public keys added to this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``: unsupported algorithms are automatically omitted at runtime. +# DESC: The algorithms authorized for ingress ssh public keys added to this bastion. Possible values: ``rsa``, ``ecdsa``, ``ed25519``, ``ecdsa-sk``, ``ed25519-sk``, note that some of those might not be supported by your current version of ``OpenSSH``: unsupported algorithms are automatically omitted at runtime. # DEFAULT: [ "rsa", "ecdsa", "ed25519" ] "allowedIngressSshAlgorithms": [ "rsa", "ecdsa", "ed25519", "ecdsa-sk", "ed25519-sk" ], # # allowedEgressSshAlgorithms (array of strings (algorithm names)) -# DESC: The algorithms authorized for egress ssh public keys generated on this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``, unsupported algorithms are automatically omitted at runtime. +# DESC: The algorithms authorized for egress ssh public keys generated on this bastion. Possible values: ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``, unsupported algorithms are automatically omitted at runtime. # DEFAULT: [ "rsa", "ecdsa", "ed25519" ] "allowedEgressSshAlgorithms": [ "rsa", "ecdsa", "ed25519" ], # diff --git a/lib/perl/OVH/Bastion/Plugin/generateEgressKey.pm b/lib/perl/OVH/Bastion/Plugin/generateEgressKey.pm index 861369259..cf791cd04 100644 --- a/lib/perl/OVH/Bastion/Plugin/generateEgressKey.pm +++ b/lib/perl/OVH/Bastion/Plugin/generateEgressKey.pm @@ -9,46 +9,6 @@ use OVH::Result; use OVH::Bastion; use OVH::Bastion::Plugin qw{ :DEFAULT }; -sub help_algos { - require Term::ANSIColor; - my $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'egress'); - my @algoList = @{$fnret->value}; - my $algos = Term::ANSIColor::colored(uc join(' ', @algoList), 'green'); - - # when generating documentation, don't talk about "this" bastion, be generic - if ($ENV{'PLUGIN_DOCGEN'}) { - osh_info <<"EOF"; -Note that the actually available algorithms on a bastion depend on the underlying OS and the configured policy. - -A quick overview of the different algorithms:: -EOF - } - else { - osh_info <<"EOF"; -With the policy and SSH version on this bastion, -the following algorithms are supported: $algos. - -A quick overview of the different algorithms: -EOF - } - osh_info <<"EOF"; - - +---------+------+----------+-------+-----------------------------------------+ - | algo | size | strength | speed | compatibility | - +=========+======+==========+=======+=========================================+ - | DSA | any | 0 | n/a | obsolete, do not use | - | RSA | 2048 | ** | ** | works everywhere | - | RSA | 4096 | *** | * | works almost everywhere | - | ECDSA | 521 | **** | ***** | OpenSSH 5.7+ (Debian 7+, Ubuntu 12.04+) | - | Ed25519 | 256 | ***** | ***** | OpenSSH 6.5+ (Debian 8+, Ubuntu 14.04+) | - +---------+------+----------+-------+-----------------------------------------+ - -This table is meant as a quick cheat-sheet, you're warmly advised to do -your own research, as other constraints may apply to your environment. -EOF - return 0; -} - sub ask_passphrase { require Term::ReadKey; print "Please enter a passphrase for the private key that'll stay on the bastion (not echoed): "; diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc index 54d8dad56..3af27e656 100644 --- a/lib/perl/OVH/Bastion/ssh.inc +++ b/lib/perl/OVH/Bastion/ssh.inc @@ -1050,29 +1050,73 @@ sub is_effective_piv_account_policy_enabled { # Deduces from the bastion config what algorithms are accepted. sub print_accepted_key_algorithms { - my %params = @_; - my $way = $params{'way'}; + my %params = @_; + my $way = $params{'way'}; + my $fido = ($params{'fido'} // 1); + my $generate = ($params{'generate'} // 1); my $fnret; + my @algoList; $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => $way); - $fnret or return $fnret; - my @algoList = @{$fnret->value}; + if (!$fnret && $ENV{'PLUGIN_DOCGEN'}) { + @algoList = qw{ rsa ecdsa ed25519 }; + push @algoList, qw{ ecdsa-sk ed25519-sk } if ($way eq 'ingress'); + } + elsif (!$fnret) { + return $fnret; + } + else { + @algoList = @{$fnret->value}; + } + + my ($X, $o) = qw{ # . }; + if (OVH::Bastion::can_use_utf8() && OVH::Bastion::config('fanciness')->value eq 'full') { + $X = "\N{U+2713}"; + $o = " "; + } + + require POSIX; + my $bastionName = OVH::Bastion::config('bastionName')->value; + my $appName = "ssh:" . POSIX::strftime("%Y-%m-%d.", localtime()) . substr($bastionName, 0, 24); + + my $hasFido = 0; + + my $prefix = ""; + osh_info("A quick overview of the different algorithms:"); + if ($ENV{'PLUGIN_DOCGEN'}) { + $prefix = " "; + osh_info("\n.. code-block:: none\n"); + } - if (grep { 'ed25519-sk' eq $_ } @algoList) { - osh_info "FIDO2 Ed25519: strongness[######] speed[#####], use `ssh-keygen -t ed25519-sk' to generate one"; + if ($fido && grep { 'ed25519-sk' eq $_ } @algoList) { + osh_info("${prefix}FIDO2 Ed25519: robustness[$X$X$X] speed[$X$X$X]" + . ($generate ? ", generate: `ssh-keygen -t ed25519-sk -O resident -O application=$appName" : "")); + $hasFido = 1; } if (grep { 'ed25519' eq $_ } @algoList) { - osh_info "ED25519 : strongness[#####.] speed[#####], use `ssh-keygen -t ed25519' to generate one"; + osh_info("${prefix}Ed25519 : robustness[$X$X$X] speed[$X$X$X]" + . ($generate ? ", generate: `ssh-keygen -t ed25519'" : "")); } - if (grep { 'ecdsa-sk' eq $_ } @algoList) { - osh_info "FIDO2 ECDSA : strongness[#####.] speed[#####], use `ssh-keygen -t ecdsa-sk -b 521' to generate one"; + if ($fido && grep { 'ecdsa-sk' eq $_ } @algoList) { + osh_info("${prefix}FIDO2 ECDSA : robustness[$X$X$o] speed[$X$X$X]" + . ($generate ? ", generate: `ssh-keygen -t ecdsa-sk -b 521 -O resident -O application=$appName" : "")); + $hasFido = 1; } if (grep { 'ecdsa' eq $_ } @algoList) { - osh_info "ECDSA : strongness[####..] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one"; + osh_info("${prefix}ECDSA : robustness[$X$X$o] speed[$X$X$X]" + . ($generate ? ", generate: `ssh-keygen -t ecdsa -b 521'" : "")); } if (grep { 'rsa' eq $_ } @algoList) { - osh_info "RSA : strongness[###...] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one"; + osh_info("${prefix}RSA : robustness[$X$o$o] speed[$X$o$o]" + . ($generate ? ", generate: `ssh-keygen -t rsa -b 4096'" : "")); + } + + if ($hasFido) { + osh_info("\nNote that FIDO2 algorithms require a FIDO2-compatible hardware Security Key."); } + osh_info("\nThis table is meant as a quick cheat-sheet, you're warmly advised to do"); + osh_info("your own research, as other constraints may apply to your environment."); + return; } 1; From 5de66f3817966f18c59fcc571c3a9f4673eadd0c Mon Sep 17 00:00:00 2001 From: perrze Date: Wed, 3 Apr 2024 10:03:58 +0200 Subject: [PATCH 7/8] Adding tests for secure keys feature --- tests/functional/tests.d/330-selfkeys.sh | 64 +++++++++++++++++++++++- 1 file changed, 63 insertions(+), 1 deletion(-) diff --git a/tests/functional/tests.d/330-selfkeys.sh b/tests/functional/tests.d/330-selfkeys.sh index cfd4d0ec0..5f1b6781a 100644 --- a/tests/functional/tests.d/330-selfkeys.sh +++ b/tests/functional/tests.d/330-selfkeys.sh @@ -464,12 +464,34 @@ EOS .value.key.line "ecdsa-sha2-nistp521 $b64 test@ecdsa521" \ .value.key.prefix "" +b64='AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBTjpImSazDYONgM5plDyz7R2dFmVJMtKCYRemL+XNvVpyRc4e+V8GBF+UZFSc2ieCpGmcB54GfjryznSgyYHHYAAAAEc3NoOg==' + local fpe256_sk + fpe256_sk="SHA256:DRMDgE8K3ByBwYEcosmosvLfHMT7XabCzzM4MoIiIgU" + [ "$FP_TYPE" = md5 ] && fpe256_sk="dc:e1:9b:e4:64:97:d6:c3:47:a7:9b:33:3d:35:e2:cb" + script sk-ecdsa256 $a1 -osh selfAddIngressKey "<<< \"sk-ecdsa-sha2-nistp256@openssh.com $b64 test@ecdsa256-sk\"" + retvalshouldbe 0 + contain "key successfully added" + json $(cat < Date: Tue, 9 Apr 2024 16:22:41 +0000 Subject: [PATCH 8/8] fix: tests: don't test FIDO2 on unsupported distros --- doc/sphinx/development/setup.rst | 1 + docker/Dockerfile.debian11 | 2 +- docker/Dockerfile.debian12 | 2 +- docker/Dockerfile.opensuse15 | 4 +- docker/Dockerfile.rockylinux9 | 2 +- docker/Dockerfile.ubuntu2004 | 2 +- docker/Dockerfile.ubuntu2204 | 2 +- tests/functional/launch_tests_on_instance.sh | 3 +- tests/functional/tests.d/330-selfkeys.sh | 121 ++++++++++--------- 9 files changed, 73 insertions(+), 66 deletions(-) diff --git a/doc/sphinx/development/setup.rst b/doc/sphinx/development/setup.rst index 72cc4c10b..e00926564 100644 --- a/doc/sphinx/development/setup.rst +++ b/doc/sphinx/development/setup.rst @@ -160,6 +160,7 @@ to get up-to-date information): --has-mfa-password=[0|1] PAM is usable to check passwords (default: 0) --has-pamtester=[0|1] The `pamtester` binary is available, and PAM is usable (default: 1) --has-piv=[0|1] The `yubico-piv-tool` binary is available (default: 1) + --has-sk=[0|1] The openssh-server supports Secure Keys (FIDO2) (default: 0) Without Docker -------------- diff --git a/docker/Dockerfile.debian11 b/docker/Dockerfile.debian11 index b3bb80ea5..9067718c4 100644 --- a/docker/Dockerfile.debian11 +++ b/docker/Dockerfile.debian11 @@ -32,4 +32,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"] # start at entrypoint ENTRYPOINT /opt/bastion/docker/entrypoint.sh -# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 +# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1 diff --git a/docker/Dockerfile.debian12 b/docker/Dockerfile.debian12 index 10e88640b..0969b6d2b 100644 --- a/docker/Dockerfile.debian12 +++ b/docker/Dockerfile.debian12 @@ -32,4 +32,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"] # start at entrypoint ENTRYPOINT /opt/bastion/docker/entrypoint.sh -# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 +# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1 diff --git a/docker/Dockerfile.opensuse15 b/docker/Dockerfile.opensuse15 index ee4cec94c..7eec47047 100644 --- a/docker/Dockerfile.opensuse15 +++ b/docker/Dockerfile.opensuse15 @@ -30,5 +30,5 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"] # start at entrypoint ENTRYPOINT /opt/bastion/docker/entrypoint.sh -# TESTOPT --has-mfa=0 --has-pamtester=0 --has-piv=0 -# TESTFROM opensuse/leap:15.2 opensuse/leap:15.3 +# TESTOPT --has-mfa=0 --has-pamtester=0 --has-piv=0 --has-sk=1 +# TESTFROM opensuse/leap:15.4 opensuse/leap:15.5 diff --git a/docker/Dockerfile.rockylinux9 b/docker/Dockerfile.rockylinux9 index 7b8d5dad3..e4e118548 100644 --- a/docker/Dockerfile.rockylinux9 +++ b/docker/Dockerfile.rockylinux9 @@ -29,4 +29,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"] # start at entrypoint ENTRYPOINT /opt/bastion/docker/entrypoint.sh -# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 +# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1 diff --git a/docker/Dockerfile.ubuntu2004 b/docker/Dockerfile.ubuntu2004 index 87faf7ace..589efdcdb 100644 --- a/docker/Dockerfile.ubuntu2004 +++ b/docker/Dockerfile.ubuntu2004 @@ -32,4 +32,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"] # start at entrypoint ENTRYPOINT /opt/bastion/docker/entrypoint.sh -# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 +# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1 diff --git a/docker/Dockerfile.ubuntu2204 b/docker/Dockerfile.ubuntu2204 index ecce83762..b17ca7c79 100644 --- a/docker/Dockerfile.ubuntu2204 +++ b/docker/Dockerfile.ubuntu2204 @@ -32,4 +32,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install"] # start at entrypoint ENTRYPOINT /opt/bastion/docker/entrypoint.sh -# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 +# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1 --has-sk=1 diff --git a/tests/functional/launch_tests_on_instance.sh b/tests/functional/launch_tests_on_instance.sh index 0bbc35467..a11ed17d0 100755 --- a/tests/functional/launch_tests_on_instance.sh +++ b/tests/functional/launch_tests_on_instance.sh @@ -17,7 +17,7 @@ opt_slowness_factor=1 opt_log_prefix= opt_module= opt_post_run= -declare -A capabilities=( [ed25519]=1 [mfa]=1 [mfa-password]=0 [pamtester]=1 [piv]=1 ) +declare -A capabilities=( [ed25519]=1 [mfa]=1 [mfa-password]=0 [pamtester]=1 [piv]=1 [sk]=0 ) # set the helptext now to get the proper default values help_text=$(cat <