the-bastion
the-bastion copied to clipboard
ovh
Issue with adding ed25519 keys
Hello,
I've been trying to create an account with a key type "ed25519", but it fails with the following trace (debug enabled):
my-user@my-bastion(master)> accountCreate --account new-user --uid-auto --comment '"new-user Developer access"' --public-key '"ssh-ed25519 aaaaaaa-suppresedf"'
~ <361675:/opt/bastion/bin/shell/osh.pl> is_account_nonexpired: got lastlog date: 1656590244
~ <361675:/opt/bastion/bin/shell/osh.pl> Last account activity: 0 days ago
~ <361675:/opt/bastion/bin/shell/osh.pl> self=my-user home=/home/my-user realm= remoteself= sysself=my-user
~ <361675:/opt/bastion/bin/shell/osh.pl> user-passed options : -i --osh accountCreate --account new-user --uid-auto --comment '"new-user Developer access"' --public-key '"ssh-ed25519 aaaaaaa-suppresedf"'
~ <361675:/opt/bastion/bin/shell/osh.pl> remainingOptions <--account/new-user/--uid-auto/--comment/"new-user Developer access"/--public-key/"ssh-ed25519 aaaaaaa-suppresedf">
~ <361675:/opt/bastion/bin/shell/osh.pl> Going got pass the following supplement args to plugin: --account^new-user^--uid-auto^--comment^"new-user Developer access"^--public-key^"ssh-ed25519 aaaaaaa-suppresedf"
~ <361675:/opt/bastion/bin/shell/osh.pl> will work on IP
~ <361675:/opt/bastion/bin/shell/osh.pl> self : my-user
~ <361675:/opt/bastion/bin/shell/osh.pl> user : <undef>
~ <361675:/opt/bastion/bin/shell/osh.pl> host : <undef>
~ <361675:/opt/bastion/bin/shell/osh.pl> port : 22
~ <361675:/opt/bastion/bin/shell/osh.pl> verbose : <undef>
~ <361675:/opt/bastion/bin/shell/osh.pl> tty : <undef>
~ <361675:/opt/bastion/bin/shell/osh.pl> osh : accountCreate
~ <361675:/opt/bastion/bin/shell/osh.pl> command : <undef>
~ <361675:/opt/bastion/bin/shell/osh.pl> about to run_cmd ['/opt/bastion/bin/plugin/restricted/accountCreate','','','','','--account','new-user','--uid-auto','--comment','"new-user Developer access"','--public-key','"ssh-ed25519 aaaaaaa-suppresedf"']
~ <361675:/opt/bastion/bin/shell/osh.pl> waiting for child PID 361676 to complete...
╭──the-bastion────────────────────────────────────────────the-bastion-3.08.01───
│ ▶ create a new bastion account
├───────────────────────────────────────────────────────────────────────────────
│
│ ⛔ This doesn't look like an SSH public key, accepted formats are RSA (>= 2048 bits)
│ ⛔ and if supported by the OS, ECDSA and Ed25519.
╰────────────────────────────────────────────────────────────</accountCreate>───
~ <361675:/opt/bastion/bin/shell/osh.pl> all fds are EOF, waiting for pid 361676 indefinitely
~ <361675:/opt/bastion/bin/shell/osh.pl> cmd returned with status 100
~ <361581:/opt/bastion/bin/shell/osh.pl> about to run_cmd ['id','-G','-n']
~ <361581:/opt/bastion/bin/shell/osh.pl> waiting for child PID 361677 to complete...
~ <361581:/opt/bastion/bin/shell/osh.pl> stdout(361677): my-user bastion-users osh-accountListAccesses osh-accountMFAResetPassword osh-accountListEgressKeys osh-groupDelete osh-accountUnlock osh-selfDelPersonalAccess osh-accountListIngressKeys osh-selfAddPersonalAccess osh-accountInfo osh-accountList osh-realmList osh-accountModify osh-whoHasAccessTo osh-accountGrantCommand osh-accountMFAResetTOTP osh-groupCreate osh-accountUnexpire osh-realmDelete osh-accountDelPersonalAccess osh-accountCreate osh-realmCreate osh-accountPIV osh-realmInfo osh-accountDelete osh-accountAddPersonalAccess osh-accountRevokeCommand osh-accountGeneratePassword osh-accountListPasswords osh-rootListIngressKeys osh-auditor osh-admin keytest-aclkeeper keytest-gatekeeper keytest-owner keyprod keydev keystaging keybeta my-user-tty
~ <361581:/opt/bastion/bin/shell/osh.pl> all fds are EOF, waiting for pid 361677 indefinitely
~ <361581:/opt/bastion/bin/shell/osh.pl> cmd returned with status 0
~ <361581:/opt/bastion/bin/shell/osh.pl> about to run_cmd ['id','-G','-n','my-user']
~ <361581:/opt/bastion/bin/shell/osh.pl> waiting for child PID 361678 to complete...
~ <361581:/opt/bastion/bin/shell/osh.pl> stdout(361678): my-user osh-admin osh-auditor osh-rootListIngressKeys osh-accountListPasswords osh-accountGeneratePassword osh-accountRevokeCommand osh-accountAddPersonalAccess osh-accountDelete osh-realmInfo osh-accountPIV osh-realmCreate osh-accountCreate osh-accountDelPersonalAccess osh-realmDelete osh-accountUnexpire osh-groupCreate osh-accountMFAResetTOTP osh-accountGrantCommand osh-whoHasAccessTo osh-accountModify osh-realmList osh-accountList osh-accountInfo osh-selfAddPersonalAccess osh-accountListIngressKeys osh-selfDelPersonalAccess osh-accountUnlock osh-groupDelete osh-accountListEgressKeys osh-accountMFAResetPassword osh-accountListAccesses bastion-users my-user-tty keytest-aclkeeper keytest-gatekeeper keytest-owner keyprod keydev keystaging keybeta
~ <361581:/opt/bastion/bin/shell/osh.pl> all fds are EOF, waiting for pid 361678 indefinitely
~ <361581:/opt/bastion/bin/shell/osh.pl> cmd returned with status 0
It failed like 10 times, then it magically worked, it seems to happen only with this type of key. I'm running bastion on AWS on a 20.04 instance with openssh 8.4
My configuration on bastion has this type of keys enabled, and the sshd config does allow it as well. I even added my ed key on the server and ssh into it without issues, but adding the key to myself on bastion, also failed a couple of times before being added successfully
What the script read wasn't parseable as a key, probably some issue with your terminal or copy/paste weirdness. I see you enabled debug mode, to help in those cases we could, in the error message, print out what was received by the script and couldn't be parsed as a key, this might help pinpointing the problem. If I push a dev branch with such debug enabled, would you be interested to test in on your AWS instance?
I've used an ansible role to install the bastion, I guess that I'll need to build from source, I could test it next week ^^
If it helps, I'm running zsh as my shell with oh-my-zsh
I can give you the steps to swap branches manually. Depending on the configuration of your ansible role, you are either tracking the latest commit from the master branch, or the most recent tag (i.e. release), which is currently v3.08.01.
You can know which case is yours by logging in to the bastion as root and typing:
git describe -C /opt/bastion --exact-match --all.
You'll either get refs/master or tags/v3.08.01. This'll be usefull to rollback to the proper version once you're done testing.
Now, to get to the test branch I've just pushed:
git -C /opt/bastion fetch
git -C /opt/bastion checkout debug_addkey
/opt/bastion/bin/admin/fixrights.sh
You should get an additional debug line when trying to create an account in debug mode.
To revert to your previous production branch, either git -C /opt/bastion checkout master or git -C /opt/bastion checkout v3.08.01. Then, always do a /opt/bastion/bin/admin/fixrights.sh to ensure the file permissions are set correctly.
Alright, I'm going to test this out today or tomorrow. I'll add a couple of comments related to other issues I've found these days:
- Creating an account with TTL causes the user to expire, but the account still appear as active on bastion
- Creating an account from interactive mode results in the SSH key error from above, but this time with RSA public keys
It's really weird and hard to see what's going on under the hood.
The TTL issue has been fixed (it was a reporting error on the side of accountInfo, the TTL was correctly applied however).
Any news about the problem you faced with interactive mode?
Closing for inactivity and impossibility to reproduce (for the part in interactive mode), please reopen if the issue is still valid.