community.crypto.openssh_keypair: Add an option to specify the number of key derivation function rounds used for ed25519 sshkeys

[4wk-]

SUMMARY

I would like to be able to specify the number of key derivation function rounds used when generating an ed25519 ssh key, just like with the command: ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519

I am well aware that this feature request have been discussed in the past and it was closed because the openssh_keypair module wasn't able to handle passphrase back then. AFAIK, now the module can handle passphrases!

ISSUE TYPE

• Feature Idea

COMPONENT NAME

community.crypto.openssh_keypair

ADDITIONAL INFORMATION

This would drastically increase security of the generated sshkeys

The -a 100 option specifies 100 rounds of key derivations, making your key's password harder to brute-force. source

Example:

- name: Generate ssh keys
  community.crypto.openssh_keypair:
    path: /tmp/id_ed25519
    state: present
    type: ed25519
    kdf_rounds: 100

[Ajpantuso]

While openssh_keypair supports passwords now we are not using ssh-keygen as the backend to generate keys with passwords. As far as I know the backing library we use cryptography exposes no option to override the number of KDF rounds and defaults to 16.

[Ajpantuso]

Once https://github.com/pyca/cryptography/pull/7520 is released the openssh_keypair module can use the new API and expose a kdf_rounds option to module users.

[lonix1]

That PR was merged into version 38.0.0, and the current version on pypi is 41.0.1 - so it seems the upstream functionality is in place!

(But I'm not a python dev, so I may be misunderstanding... please forgive me if I got it wrong!)

Also looking forward to this. The default of 16 rounds is quite low :open_mouth: :smile: