community.crypto icon indicating copy to clipboard operation
community.crypto copied to clipboard
verified publisher icon ansible-collections

openssh_keypair: Allow strong passphrases (more than 72 bytes)

Open 4wk- opened this issue 3 years ago • 5 comments

SUMMARY

It could be really great to make community.crypto.openssh_keypair work with somewhat-long passphrases. At the moment, it seems to have a limitation from python3-cryptography or python3-bcrypt, that limit the password length we can supply.

Example with a 10 words passphrase generated with diceware:

unexpected error occurred: Passwords longer than 72 bytes are not supported by OpenSSH private key format

NB: using ssh-keygen directly throught CLI works fine, even with 20+ words passphrases, so that's not a limitation of OpenSSH really.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

community.crypto.openssh_keypair

ADDITIONAL INFORMATION

A good ansd strong passphrase is, to me, 10 words (or more). Because of this limit, I cannot use the great openssh_keypair module. https://www.useapassphrase.com/ https://theworld.com/~reinhold/dicewarefaq.html#howlong https://cryptography.io/en/3.1/_modules/cryptography/hazmat/primitives/serialization/ssh/

4wk- avatar Jul 18 '22 12:07 4wk-

Another link: https://github.com/pyca/cryptography/blob/main/src/cryptography/hazmat/primitives/serialization/ssh.py#L56

felixfontein avatar Jul 19 '22 16:07 felixfontein

Didn't see any good reason why the 72 character limit was introduced on the cryptography side so I filed https://github.com/pyca/cryptography/issues/7436 to look into this.

Ajpantuso avatar Jul 19 '22 17:07 Ajpantuso

https://github.com/pyca/cryptography/pull/7439 fixes this.

felixfontein avatar Jul 20 '22 20:07 felixfontein

Now that cryptography 38.0.x is out, I guess this one is basically resolved?

felixfontein avatar Sep 19 '22 18:09 felixfontein

Yep, upstream fix should be in now.

Ajpantuso avatar Sep 19 '22 18:09 Ajpantuso

Thanks @felixfontein @Ajpantuso but it seems I still face the same issue as of today:

"msg": "unexpected error occurred: Passwords longer than 72 bytes are not supported by OpenSSH private key format"

I've upgrade my host setup to Debian 12.6 (used through WSL 2), and Ansible (installed with pipx):

ansible [core 2.17.2]
  config file = /home/foobar/ansible/ansible.cfg
  configured module search path = ['/home/foobar/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/pipx/venvs/ansible/lib/python3.11/site-packages/ansible
  ansible collection location = /home/foobar/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.11.2 (main, May  2 2024, 11:59:08) [GCC 12.2.0] (/opt/pipx/venvs/ansible/bin/python)
  jinja version = 3.1.4
  libyaml = True

As far as I understand it, my current cryptography version is 42.0.8, correct?

$ ls -l /opt/pipx/venvs/ansible/lib/python3.11/site-packages
drwxr-xr-x 20 root root    4096 Jul 16 18:09 ansible
drwxr-xr-x  2 root root    4096 Aug  8 10:37 ansible-10.2.0.dist-info
drwxr-xr-x 51 root root    4096 Aug  8 10:36 ansible_collections
drwxr-xr-x  2 root root    4096 Jul 16 18:09 ansible_core-2.17.2.dist-info
drwxr-xr-x  7 root root    4096 Jul 16 18:09 ansible_test
drwxr-xr-x  3 root root    4096 Jul 16 18:09 cffi
drwxr-xr-x  2 root root    4096 Jul 16 18:09 cffi-1.16.0.dist-info
-rwxr-xr-x  1 root root 1064368 Jul 16 18:09 _cffi_backend.cpython-311-x86_64-linux-gnu.so
drwxr-xr-x  5 root root    4096 Jul 16 18:09 cryptography
drwxr-xr-x  2 root root    4096 Jul 16 18:09 cryptography-42.0.8.dist-info
drwxr-xr-x  3 root root    4096 Jul 16 18:09 jinja2
drwxr-xr-x  2 root root    4096 Jul 16 18:09 jinja2-3.1.4.dist-info
drwxr-xr-x  3 root root    4096 Jul 16 18:09 markupsafe
drwxr-xr-x  2 root root    4096 Jul 16 18:09 MarkupSafe-2.1.5.dist-info
drwxr-xr-x  3 root root    4096 Jul 16 18:09 packaging
drwxr-xr-x  2 root root    4096 Jul 16 18:09 packaging-24.1.dist-info
-rw-r--r--  1 root root      60 Jul 16 18:09 pipx_shared.pth
drwxr-xr-x  4 root root    4096 Jul 16 18:09 pycparser
drwxr-xr-x  2 root root    4096 Jul 16 18:09 pycparser-2.22.dist-info
drwxr-xr-x  2 root root    4096 Jul 16 18:09 PyYAML-6.0.1.dist-info
drwxr-xr-x  4 root root    4096 Jul 16 18:09 resolvelib
drwxr-xr-x  2 root root    4096 Jul 16 18:09 resolvelib-1.0.1.dist-info
drwxr-xr-x  3 root root    4096 Jul 16 18:09 _yaml
drwxr-xr-x  3 root root    4096 Jul 16 18:09 yaml

What I am doing wrong here? Any idea? 🙏

4wk- avatar Aug 08 '24 09:08 4wk-

@4wk- are you sure that the module is actually running with the cryptography version you're showing? Modules usually run in different environments than the controller environment.

You could add a task with community.general.pip_package_info (https://docs.ansible.com/ansible/latest/collections/community/general/pip_package_info_module.html) to see which packages (and versions) are there in the target environment.

felixfontein avatar Aug 08 '24 09:08 felixfontein

@felixfontein My bad, you're correct. After updating the remote, it worked!

So, this issue is fixed! community.crypto.openssh_keypair is now working with passphrases 🎉 (make sure to have python3-bcrypt installed on the nodes)

4wk- avatar Aug 08 '24 14:08 4wk-