commit-archive uses curl for scp/sftp which supports ssh public key auth.
It should check for keys in ~/.ssh of user which is logged into config mode.
Theoretically we could just put the keypair into .ssh, but...
Trying this doesn't work.
vyos@vyos:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/vyos/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/vyos/.ssh/id_rsa. Your public key has been saved in /home/vyos/.ssh/id_rsa.pub. The key fingerprint is: e6:cf:f4:7d:35:70:36:be:3d:29:83:f9:63:11:9c:d0 vyos@vyos The key's randomart image is: +---[RSA 2048]----+ | . | | . E | | o . | | = + | | S * .| | o . o.| | . . o . *| | + + * +o| | o +.=..| +-----------------+ vyos@vyos:~$ cat .ssh/id id_rsa id_rsa.pub
vyos@vyos# set system config-management commit-archive location sftp://[email protected]/ [edit] vyos@vyos# commit Archiving config... sftp://foo.bar/ curl: (51) SSL peer certificate or SSH remote key was not OK The authenticity of host 'foo.bar' can't be established. RSA key fingerprint is <redacted>. Are you sure you want to continue connecting (yes/no) [Yes]? yes curl: (67) Authentication failure Failed! [edit]
This is because curl looks for id_dsa instead of rsa.
vyos@vyos# curl -g -v -T test sftp://[email protected]/ (...) * Using ssh public key file /home/vyos/.ssh/id_dsa.pub * Using ssh private key file /home/vyos/.ssh/id_dsa * SSH public key authentication failed: Unable to open public key file (...)
Passing --key and --pubkey works.
vyos@vyos# curl -g -v -T test --key /home/vyos/.ssh/id_rsa --pubkey /home/vyos/.ssh/id_rsa.pub sftp://[email protected]/~/ * Hostname was NOT found in DNS cache % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.x.y.z... * Connected to foo.bar (10.x.z.y) port 22 (#0) * SSH MD5 fingerprint: <redacted> * SSH host check: 0, key: <redacted> * SSH authentication methods available: publickey,gssapi-keyex,gssapi-with-mic,password * Using ssh public key file /home/vyos/.ssh/id_rsa.pub * Using ssh private key file /home/vyos/.ssh/id_rsa * Initialized SSH public key authentication * Authentication complete } [data not shown] * We are completely uploaded and fine 100 10 0 0 100 10 0 19 --:--:-- --:--:-- --:--:-- 19 100 10 0 0 100 10 0 19 --:--:-- --:--:-- --:--:-- 19 * Connection #0 to host foo.bar left intact [edit]
Also note the path is "/~/", this creates the file in the user's home directory. Just / doesn't mean user's home like in some other utilities, and /~ isn't enough. (this might be good to mention in the docs)
Perhaps an option "commit-archive location <location> auth publickey [type rsa|dsa|...]" should be added with the path defaulting to ~/.ssh/id_rsa{.pub}. Or maybe auth publickey /path/to/key with the user generating and storing keys in /config (don't know if it would be secure?)
vyatta-config-mgmt is still in Perl so would have to be rewritten according to the guidelines (this would be a major task for not much benefit)