manager icon indicating copy to clipboard operation
manager copied to clipboard
verified publisher icon ovh

Recue boot, cannot register more than 1 public key

Open 131 opened this issue 1 year ago • 5 comments

Have you already contacted our help centre?

  • [X] Yes, I have contacted the help centre.

Is there an existing issue for this?

  • [X] I have checked the existing issues

Describe the bug

On the manager , when configuring the rescue boot ssh-key, only the first key is used. (but the field is multi-line and is deceptive in this way) Using multiple keys allow me to register an OVH technician key in addition of my own

Steps To Reproduce

In the manager / dedicated server / rescue boot / configure 2 SSH key

Expected Behavior

The 2 public keys are present in /root/.ssh/authorized_keys, not only the 1st one.

What browsers are you using?

Firefox

Which devices are used?

Desktop

Additional information to add?

No response

131 avatar Jul 17 '24 12:07 131

@131 why do you need multiple SSH keys when booting into rescue ? Can you provide us more context ?

JayBeeDe avatar Jul 25 '24 12:07 JayBeeDe

I'd like to see this too. Needed this recently.

Joshua2504 avatar Jul 31 '24 12:07 Joshua2504

I'm asking more context because I don't really understand the use case where you would need multiple SSH keys for a rescue. Indeed, the rescue is designed to be a toolbox for troubleshooting purposes, not to be a live system. That's why we are not going to implement such feature, direction is to patch the regex to forbid this hack.

JayBeeDe avatar Jul 31 '24 13:07 JayBeeDe

It's just handy if you need to provide rescue access to more than 1 person/pubkey. But yes, to avoid confusion it's probably best to just remove the ability to provide more than one key.

Joshua2504 avatar Jul 31 '24 14:07 Joshua2504

Using multiple keys allow me to register an OVH technician key in addition of my own. Or working on the rescue with a pair for auditing different parts/tests and work more efficiently.

This « 1key » restriction will force users(myself) towards non standards process (e.g generating temporary private keys and having to distribute them to collaborate on a rescue system)

Other than dedicated private keys, when working on systems, i consider « pools » of trusted keys (Layer 0 IT admins) with no distinctions between then rather than one specific « developper » key.

This is the fist API i see that restrict me to use « only one key » and maybe, if not found anywhere else, it might be because this design never proved its worth.

131 avatar Aug 19 '24 05:08 131

ok thank you for the details. I understand better now this use case. But unfortunately rescue was not designed for this purpose.

I have deployed yesterday a patch in the backend to prohibit add of multiple SSH keys for rescue, OS installations, and SSH SerialOverLan. I am NOT going to implement it in the frontend because I don't want to make OVHcloud control panel heavier (would require additional check, not possible to patch existing regex in the 3 locations)

JayBeeDe avatar Oct 03 '24 09:10 JayBeeDe