k3sup
k3sup copied to clipboard
alexellis
Feature request: Support new-format of encrypted OpenSSH keys
The problem is that ssh-keygen now produces automatically a key in RFC4716-format. A few months ago, it was still the old "PEM" format. Go does not support SSH keys in the RFC4716-format. It does support keys in the PKCS#8 format but only unencrypted keys are supported currently.
$ k3sup install --ip 127.0.0.1 --user kamikaze
Running: k3sup install
Public IP: 127.0.0.1
ssh -i /home/kamikaze/.ssh/id_rsa -p 22 [email protected]
Enter passphrase for '/home/kamikaze/.ssh/id_rsa':
Error: unable to load the ssh key with path "/home/kamikaze/.ssh/id_rsa": ssh: cannot decode encrypted private keys
I had a similar problem, I fixed it by forcing PEM format for openssh with ssh-keygen -m PEM - worked fine with a passphrase.
Not sure how you'd convert existing keys if you had to though.
Hi @kamikaze and @peterwishart - thanks for your interest in k3sup.
It appears that we added support for this a long time back in #8. Are you staying that your version of ssh-keygen is generating a key in a different encrypted format to the one we added support for? Are either of you interested in contributing?
Alex
Hi Alex.
As far as I can tell the problem is due to ssh-keygen changing its default format (and encryption) for private keys from OpenSSL PEM format to proprietary OpenSSH format.
I can see a related golang issue here but not entirely sure how to apply that to k3sup - will contribute a fix if I can work that out.
I have a somehow related issue in the sense that I don't store any ssh key locally on my machine. Instead, I have my gpg auth subkey on a smart card, which gpg can export as ssh key via gpg-agent to ssh-agent. It's probably a long shot, but do you have an idea how I could use k3sup in this setup?
My guess is that k3sup really expects a private key file to read from, which is simply does not exist in my case (it's directly made available to the ssh agent from the smart card).
Thanks for the project btw :+1: . Just the blog posts surrounding this project already are great resource for me to get some knowledge on this topic.
@peterwishart how did your investigations go, did you manage to prepare a patch?
There may be some support, in a version of Golang: https://go-review.googlesource.com/c/crypto/+/207600/
ssh: support encrypted OpenSSH private keys
@mhemeryck there's a separate issue for your scenario over at #255
It also looks like Yubikeys do not integrate well with most versions of SSH, and require a much more recent package.
@kamikaze can you show me how to reproduce this? The instructions don't work for me, I need something like a Dockerfile command so that I can create an encrypted key like yours.
Thanks
/set title: Feature request: Support new-format of encrypted OpenSSH keys
@peterwishart how did your investigations go, did you manage to prepare a patch?
Hi Alex, I didn't sorry. However I just tried it in ubuntu 20.04 and it worked. When I wind this dockerfile back to k3sup 0.9.3 it repros the failure, looks to have been fixed in 0.9.4 onwards.
from ubuntu:20.04
run apt update
run apt install -qqy ssh-tools curl
run export DEBIAN_FRONTEND=noninteractive; \
export DEBCONF_NONINTERACTIVE_SEEN=true; \
echo 'tzdata tzdata/Areas select Etc' | debconf-set-selections; \
echo 'tzdata tzdata/Zones/Etc select UTC' | debconf-set-selections; \
apt install -qqy --no-install-recommends openssh-server
run ssh-keygen -f /root/.ssh/id_rsa -N 12345678
run cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
run curl -sLS https://get.k3sup.dev | sh
cmd service ssh restart && k3sup install
with k3sup 0.9.6 it dont work for me:
the ssh-agent / ssh-add works as normal:
root@ubuntu-1804:~# ssh-add -l
256 SHA256:XXXXXXXXXXXXXXXXXXX ed25519-key (ED25519)
root@ubuntu-1804:~#
root@ubuntu-1804:~# ssh 127.0.0.1
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-112-generic x86_64)
Last login: Mon Aug 24 17:20:40 2020 from xxxxx
root@ubuntu:~#
root@ubuntu:~# ssh $SERVER_IP
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-42-generic x86_64)
Last login: Mon Aug 24 17:38:42 2020 from xxxx
root@static:~#
but k3sup trys allways to read the local non exiting key:
root@ubuntu:~# k3sup install --ip $SERVER_IP
Running: k3sup install
Public IP: yyyyyyyy
Error: unable to load the ssh key with path "/root/.ssh/id_rsa": unable to read file: /root/.ssh/id_rsa, open /root/.ssh/id_rsa: no such file or directory
root@ubuntu:~# k3sup install --ip $SERVER_IP --user root
Running: k3sup install
Public IP: yyyyyyyy
Error: unable to load the ssh key with path "/root/.ssh/id_rsa": unable to read file: /root/.ssh/id_rsa, open /root/.ssh/id_rsa: no such file or directory
root@ubuntu:~#
@peterwishart I've not seen k3sup install used, does it just install to localhost?
Thanks for the repo for generating a key in the said format, that should allow us to create a key and try it out.
@woa7 how did you generate your key?
If you're trying to use an SSH agent, you may need to start it first, then set the appropriate ENV-var to be picked up by k3sup: (SSH_AGENT_SOCK (I believe))
Alex
@peterwishart I've not seen
k3sup installused, does it just install to localhost?
Yes it acts as if --ip 127.0.0.1 was passed, and installs locally via ssh.
It doesn't successfully install k3s in the container, this was just the bare minimum to trigger cannot decode encrypted private keys the way I found it before.
@alexellis can you please add a option, to call the ssh binary form the OS? with this the openssh will be taken care of all "problems".