community.crypto icon indicating copy to clipboard operation
community.crypto copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

Different modes for private/public keys with `openssh_keypair`

Open lonix1 opened this issue 2 years ago • 11 comments

SUMMARY

The openssh_keypair sets the same mode for both private and public keys.

So mode: '0600' will set that mode for both keys. Typically the private key has 600 and the public has 644 (if not, then ssh won't read it, so I need to add another task to fix the permissions).

ISSUE TYPE
  • Feature Idea Another attribute, e.g. mode_public, which sets the mode just for the public key.
COMPONENT NAME

openssh_keypair

ADDITIONAL INFORMATION

As above.

- community.crypto.openssh_keypair:
  type: ed25519
  path: /home/me/.ssh/id_ed25519_foo
  mode: '0600'
  mode_public: '0644'             # <------------------

lonix1 avatar Jun 26 '23 04:06 lonix1

Afair mode is inherited from the general set of parameters for file based modules. It might be better to remove mode completely and replace it with mode_private and mode_public (or similar) because only adding it for one of the two keys also seems not very intuitive especially if that one is left out.

MarkusTeufelberger avatar Jun 26 '23 09:06 MarkusTeufelberger

Agreed.

The breaking change may annoy some people though. Maybe a compromise:

  • mode: sets permissions for both keys
  • mode_private: sets permissions for just the private key
  • mode_public: sets permissions for just the public key

(And if you want, you could mark mode as deprecated, to be removed in a future version.)

lonix1 avatar Jun 26 '23 12:06 lonix1

It's not so simple to remove mode. You would end up affecting all the file parameters.

You can certainly keep mode and then override using mode_private and mode_public, but then again you could do the same thing by setting mode to the more restrictive of the two files and use a follow-up file task to update the public key mode.

I don't have a strong opinion about what the best interface for this is, but given this is cryptographic material we should be as safe as possible at the time of creation.

Ajpantuso avatar Jun 26 '23 12:06 Ajpantuso

The follow-up task workaround would create idempotence issues. However, I'm not so sure about the initial statement here:

The openssh_keypair sets the same mode for both private and public keys.

By default, private keys are set to 600 and public keys to 644, so the mode attribute should not be necessary in the first place unless some other settings than those are intended. I would understand if you need different modes than 600 and 644, but the use case in the initial description would already work with:

- community.crypto.openssh_keypair:
    type: ed25519
    path: /home/me/.ssh/id_ed25519_foo

MarkusTeufelberger avatar Jun 26 '23 12:06 MarkusTeufelberger

Correct, using the follow-up task would trigger a change on every run.

And yes by default not setting mode will result in 0600 for the private key and 0644 for the public key.

I think the only case where you would want to set mode for this module is if you actually want the public key to be more restricted.

Setting the private key less restrictive historically would cause issues with ssh-keygen since OpenSSH requires that private keys be protected. So mode itself has always had limited functionality with this module.

Ajpantuso avatar Jun 26 '23 13:06 Ajpantuso

Sorry I'm not an insider, so some of this went over my head.

Are you saying that my problem is that I actually used mode in the first place? So if I want the 600/644 convention, I must not specify mode?

lonix1 avatar Jun 26 '23 13:06 lonix1

Yes... just tested it. The trick is NOT to set mode to begin with. :-) Thanks.

It would probably help others if the the docs had a one liner on this.

lonix1 avatar Jun 26 '23 13:06 lonix1

I tried to do a PR to add that to the docs, but for reasons I don't understand, mode doesn't appear in the source for that doc. (I just clicked the "edit" button, forked, and the file that I'm looking at doesn't have "mode".)

UPDATE: Aah, it's a template. Well I'm not a python dev, so can't really help here! :smile:

lonix1 avatar Jun 26 '23 13:06 lonix1

This is already in there:

In the case a custom mode, group, owner, or other file attribute is provided it will be applied to both key files.

But yes, it might also help to document explicitly that by default 600/644 permissions will be applied. The documentation for mode and some other parameters comes from Ansible itself (https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/basic.py#L253-L261), I'd add the info down at "notes".

Edit: Here: https://github.com/ansible-collections/community.crypto/blob/57a8c7e65230e427da11bfd5ae72bf1319699fa9/plugins/modules/openssh_keypair.py#L142

MarkusTeufelberger avatar Jun 26 '23 13:06 MarkusTeufelberger

You are right! Sorry, missed that. I always look into the corresponding parameter row in the table.

lonix1 avatar Jun 26 '23 13:06 lonix1

Nah, it is kinda unintuitive sometimes. Thanks for helping out and working on a solution! :-)

MarkusTeufelberger avatar Jun 26 '23 13:06 MarkusTeufelberger