Page MenuHomeVyOS Platform
Create Task
Maniphest T4750

Support of higher level SSH keys (sk-ssh-ed25519)
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Hi,

it would be great to support more ssh keys types for example sk-ssh-ed25519.
As far as I know the underlying OpenSSH already supports them.
So the only limitation is the VyOS configuration.

Details

Version
-
Is it a breaking change?
Perfectly compatible

Related Objects

Event Timeline

Unknown Object (User) created this task.Oct 14 2022, 11:56 AM
Unknown Object (User) edited a custom field.
Viacheslav subscribed.Oct 14 2022, 12:29 PM

We already have task T4720

Unknown Object (User) closed this task as Resolved.Oct 14 2022, 12:31 PM
Unknown Object (User) claimed this task.

My fault. Sorry.

Viacheslav added a comment.Oct 14 2022, 12:36 PM

Also, it should be enabled by default (at least in ssh documentation)
Could you check it?

Unknown Object (User) added a comment.Oct 14 2022, 12:38 PM

What do you mean by "enable by default"?
The issue is that, right now, we are unable to add these kind of ssh keys because the cli won't let you define the type.

Viacheslav added a comment.Oct 14 2022, 12:49 PM

I mean Linux man https://man7.org/linux/man-pages/man5/sshd_config.5.html

HostKeyAlgorithms
        Specifies the host key signature algorithms that the server
        offers.  The default for this option is:

           ssh-ed25519-cert-v01@openssh.com,
           ecdsa-sha2-nistp256-cert-v01@openssh.com,
           ecdsa-sha2-nistp384-cert-v01@openssh.com,
           ecdsa-sha2-nistp521-cert-v01@openssh.com,
           sk-ssh-ed25519-cert-v01@openssh.com,
           sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
           rsa-sha2-512-cert-v01@openssh.com,
           rsa-sha2-256-cert-v01@openssh.com,
           ssh-rsa-cert-v01@openssh.com,
           ssh-ed25519,
           ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
           sk-ssh-ed25519@openssh.com,
           sk-ecdsa-sha2-nistp256@openssh.com,
           rsa-sha2-512,rsa-sha2-256,ssh-rsa
Unknown Object (User) added a comment.Oct 14 2022, 12:58 PM

Ah, yea that is true.
They are enabled by default.

The only issue is the vyos cli that simply didn't know them.

pasik subscribed.Oct 14 2022, 1:05 PM
Viacheslav reopened this task as Open.Nov 1 2022, 8:00 AM

So the original task means that we don't have new CLI options in login keys
Missing sk-ssh-ed25519

vyos@r14# set system login user foo authentication public-keys foo type 
Possible completions:
   ssh-dss              None
   ssh-rsa              None
   ecdsa-sha2-nistp256  None
   ecdsa-sha2-nistp384  None
   ssh-ed25519          None
   ecdsa-sha2-nistp521
Viacheslav removed Unknown Object (User) as the assignee of this task.Nov 1 2022, 8:00 AM
Viacheslav mentioned this in T4720: Ability to configure SSH HostKeyAlgorithms.
c-po changed the task status from Open to In progress.Nov 1 2022, 8:03 AM
c-po claimed this task.
c-po mentioned this in rVYOSONEXf50f7b043a86: login: T4750: add ecdsa-sk and ed25519-sk as supported public key type.Nov 1 2022, 8:22 AM
c-po changed the task status from In progress to Needs testing.Nov 1 2022, 8:22 AM
c-po triaged this task as Normal priority.
c-po closed this task as Resolved.Nov 17 2022, 9:05 PM
Viacheslav mentioned this in T4826: Wrong key type is used for SSH SK public keys.Nov 17 2022, 9:12 PM