Bug #22935
closed
arvados-dispatch-cloud (maybe) not compatible with ED25519 SSH keys
Description
While working on #22779, I've deployed some test clusters with a new set of SSH keys for the dispatcher, and I was getting the following error message until I changed back to an RSA type of key.
"Could not make key fingerprint: Unmarshal failed to parse public key: ssh: short read"
Files
Updated by Tom Clegg 10 months ago
- Assigned To set to Tom Clegg
- Status changed from New to In Progress
The incompatibility is with the ec2 driver specifically. This func in source:lib/cloud/ec2/ec2.go only supports rsa keys:
func awsKeyFingerprint(pk ssh.PublicKey) (md5fp string, sha1fp string, err error) {
// AWS key fingerprints don't use the usual key fingerprint
// you get from ssh-keygen or ssh.FingerprintLegacyMD5()
// (you can get that from md5.Sum(pk.Marshal())
//
// AWS uses the md5 or sha1 of the PKIX DER encoding of the
// public key, so calculate those fingerprints here.
Updated by Tom Clegg 10 months ago
- File arvados-server~c3582ad1988afa6aaf122b5caea9345269fec6ac-dev arvados-server~c3582ad1988afa6aaf122b5caea9345269fec6ac-dev added
22935-ssh-key-type @ c3582ad1988afa6aaf122b5caea9345269fec6ac -- developer-run-tests: #4792
- All agreed upon points are implemented / addressed. Describe changes from pre-implementation design.
- ✅ Confirm other key types can be loaded from config file
- ✅ Add support for ED25519 keys in EC2 driver for dispatchcloud
- Anything not implemented (discovered or discussed during work) has a follow-up story.
- n/a
- Code is tested and passing, both automated and manual, what manual testing was done is described.
- ✅ Test case compares fingerprints to openssl tools as described in AWS docs
- New or changed UX/UX and has gotten feedback from stakeholders.
- n/a
- Documentation has been updated.
- ✅ Noted in documentation that EC2 itself only supports RSA and ED25519 keys
- Behaves appropriately at the intended scale (describe intended scale).
- ✅
- Considered backwards and forwards compatibility issues between client and server.
- ✅
- Follows our coding standards and GUI style guidelines.
- ✅
Updated by Lucas Di Pentima 10 months ago
I think it could be beneficial to add the comment about SSH key compatibility in https://doc.arvados.org/v3.1/install/crunch2-cloud/install-compute-node.html#sshkeypair too.
With that it LGTM, thanks!
Updated by Tom Clegg 10 months ago
22935-ssh-key-type @ 8df6d85e788170844ad7757df1f518b675289159
I thought it might be better for the example to specify RSA, which we know works, rather than leave it up to ssh-keygen's default.
Updated by Brett Smith 10 months ago
Tom Clegg wrote in #note-5:
I thought it might be better for the example to specify RSA, which we know works, rather than leave it up to ssh-keygen's default.
I get the rationale for being more explicit but I would prefer we specify ED25519 over RSA. It is supported by our oldest distributions (Rocky 8 and Debian 11) and is preferred by modern OpenSSH deployments.
Updated by Lucas Di Pentima 10 months ago
Tom Clegg wrote in #note-5:
22935-ssh-key-type @ 8df6d85e788170844ad7757df1f518b675289159
I thought it might be better for the example to specify RSA, which we know works, rather than leave it up to ssh-keygen's default.
Thanks, this LGTM although I agree with Brett that ED25519 would be a better default example as it seems to not only be as secure as RSA but also better performant, and that should be beneficial to a-d-c's CPU requirements.
Updated by Tom Clegg 10 months ago
- Status changed from In Progress to Resolved
Applied in changeset arvados|b6bcc0b604e5afdc29afbeeab9696276b473cf62.