docker-magento icon indicating copy to clipboard operation
docker-magento copied to clipboard
verified publisher icon markshust

updated ssh alg from RSA keys to Ed25519

Open mkadsv opened this issue 4 years ago • 6 comments

Github is dropping RSA keys and enforcing ED25519. See Github SSH Key Docs

Any users that just created an SSH key (Nov 3, 2021 or later)will run into a permissions error.

RSA keys (ssh-rsa) with a valid_after before November 2, 2021 may continue to use any signature algorithm. RSA keys generated after that date must use a SHA-2 signature algorithm. Some older clients may need to be upgraded in order to use SHA-2 signatures.

mkadsv avatar Nov 05 '21 05:11 mkadsv

Thanks for the info. Are the new keys default-named to id_ed25519? I would think the name id_rsa may still be kept for posterity purposes.

If we were to switch this (or add it in), we'd want to still keep the old one there as well so we don't break the setup for existing users.

markshust avatar Nov 05 '21 16:11 markshust

If you create new ssh keys in Github the default name is id_ed25519.

To your point about existing users, instead of updating the yaml, maybe a simple comment like If you recently updated your Github SSH Key after Nov 2, 2021, change the yaml... during the Manual Setup Guide for the clone step might be the quickest solution for now: # bin/cli git clone [email protected]:magento/magento2.git .

mkadsv avatar Nov 05 '21 16:11 mkadsv

Thank you very much, I confirmed that is indeed the name of the SSH key.

Let me test to see if things still work and there are no weird errors if I add both to the configuration. I'd like to test to see if it still works with an older key present and not a new one, and vice versa. If everything works, I think we can have both entries there for the time being until GitHub nixes RSA's (which will set the standard for everyone moving forward to use the new encryption type).

More info at https://stefanbauer.me/articles/update-your-ssh-keys-to-ed25519

I'll keep this open while I do some additional testing.

markshust avatar Nov 06 '21 10:11 markshust

  • The file docker-compose.yml was changed
  • In the appvolumes section, id_rsa key is replaced with id_ed25519 key

what-the-diff[bot] avatar Dec 04 '22 21:12 what-the-diff[bot]

I've noticed some issues with even adding this mapping without testing first:

If the ~/.ssh/id_rsa file doesn't exist before running docker-compose, it'll create a directory with the path ~/.ssh/id_rsa/

The startup scripts really should test the file existence before mapping it as a volume, but they don't.

I feel the second-best solution is for the startup scripts to test for existence of each ~/.ssh/id_rsa and ~/.ssh/id_ed25519 and map any and all available.

Maybe I'm just complaining, but mapping the SSH key file seems like an incomplete solution [does not connect to SSH auth agent; does not account for servers having their own configs in ~/.ssh/config; does not account for git's credential.<URL> configs; cannot use PAM modules; doesn't use ~/.netrc]

...to a problem that doesn't really exist [unable to authenticate composer installs].

h3xx avatar Jan 24 '23 22:01 h3xx