workflow icon indicating copy to clipboard operation
workflow copied to clipboard

Published 20 hours ago verified publisher icon deis

Can't push with ssh-ed25519 keys

Open amingilani opened this issue 8 years ago • 10 comments

Currently I can keys:add my primary ssh-ed25519 ssh key but I can't push, and have to rely on my alt RSA key.

Github let's me push using my primary ssh-ed25519, I can log in as core@coreOS using my ssh-ed25519 just fine.

Steps to reproduce:

  1. Create a new key using ssh-keygen -o -a 100 -t ed25519
  2. Add the key to Deis
  3. Create and push using the key

amingilani avatar Nov 05 '16 21:11 amingilani

whatever key git client passes during git push deis master is the one used by the deis to authenticate. So, if you should be able to use ssh-ed25519 key if you can make git client to use it for ssh.

kmala avatar Nov 08 '16 20:11 kmala

@kmala here:

Checking to make sure my key exists on deis

$ deis keys:list
=== amin_shah Keys
[email protected] ssh-ed25519 AAAA...bull.local
gilani@redbull       ssh-rsa AAAAB3Nz...ni@redbull

Testing git push

# Using RSA key on Github
$ GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa -F /dev/null" git push github master
Everything up-to-date

# Using ED25519 key on Github
$ GIT_SSH_COMMAND="ssh -i ~/.ssh/id_ed25519 -F /dev/null" git push github master
Everything up-to-date

# Using RSA key on Deis
$ GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa -F /dev/null" git push deis master
Everything up-to-date

# Using ED25519 key on Deis
$ GIT_SSH_COMMAND="ssh -i ~/.ssh/id_ed25519 -F /dev/null" git push deis master
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

amingilani avatar Nov 08 '16 20:11 amingilani

@kmala could you independently run the following? The command to generate a ed25519 key is ssh-keygen -o -a 100 -t ed25519

amingilani avatar Nov 08 '16 20:11 amingilani

yes...i get the same behavior but the weird thing is the server is getting the rsa key and not the ed25519 key even when using the GIT_SSH_COMMAND.

kmala avatar Nov 08 '16 21:11 kmala

On further investigation i found that this is happening only for ed25519 keys.... i am able to use different keys using the GIT_SSH_COMMAND

kmala avatar Nov 08 '16 23:11 kmala

Not sure if this is relevant (fly-by comment) but we only generate rsa, dsa and ecdsa host keys for the builder: https://github.com/deis/charts/blob/master/workflow-dev/tpl/deis-builder-secret-ssh-private-keys.yaml#L10-L13

Perhaps that is relevant?

bacongobbler avatar Nov 08 '16 23:11 bacongobbler

Upon further investigation found that golang ssh implementations doesn't support ed25519 keys https://github.com/golang/go/issues/8581 .The issue is fixed but isn't released.

kmala avatar Nov 09 '16 17:11 kmala

this has been fixed upstream so we should be able to accept ed25519 keys if someone feels like hacking up a PR for the controller and the builder. :)

bacongobbler avatar Mar 27 '17 22:03 bacongobbler

It was fixed long back but isn't released in any release.

kmala avatar Mar 28 '17 06:03 kmala

This issue was moved to teamhephy/workflow#46

Cryptophobia avatar Mar 20 '18 20:03 Cryptophobia