metal-api
metal-api copied to clipboard
Decline create request for unsupported ssh key
metalctl machine console
is only working for supported SSH key algorithms. If a connection using an unsupported algorithm is started then the SSH handshake ends in error:
$ metalctl machine console 06562600-7004-11e9-8000-efbeaddeefbe
no ssh identity given using:/home/gopher/.ssh/id_rsa, another key can be specified with --sshidentity/-p
Error: machine console error:ssh: cannot decode encrypted private keys
The legacy key in this case was encrypted with "AES-128-CBC".
A received machine or firewall create request should be declined properly if it contains a unsupported SSH key. An unsupported SSH key is a valid SSH key that was encrypted using an algorithm that is not supported by our infrastructure.
But you must also consider to check the sshd server implementation of metal-console to ensure this golang-sshd server will also only accept/present valid ciphers.