Page MenuHomeVyOS Platform
Create Task
Maniphest T4826

Wrong key type is used for SSH SK public keys
Closed, ResolvedPublicBUG
Actions

Description

While setting up my FIDO keys for SSH access I noticed that I couldn't login after setting up a key with:

set system login user xxx authentication public-keys yubikey key '<public key>'
set system login user xxx authentication public-keys yubikey type 'ed25519-sk'

After checking what's generated into the authorized_keys file I noticed that the key was inserted with the type ed25519-sk while it should be [email protected], see https://man.openbsd.org/sshd_config#PubkeyAcceptedAlgorithms. This probably also affects the ecdsa variant.
Just to be sure I also manually corrected the type in the authorized_keys file, after which I could login just fine. It seems like the type used in the config is rendered literally into the keys file. Either the key type in the config needs to be renamed or the script has to do that while rendering.

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202211170318
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

DerEnderKeks created this task.Nov 17 2022, 1:54 PM
pasik added a subscriber: pasik.Nov 17 2022, 2:03 PM
Viacheslav added a subscriber: Viacheslav.Nov 17 2022, 9:12 PM

I guess it was implemented in the T4750
Should be easy to fix

Viacheslav added a comment.Nov 18 2022, 2:15 PM

PR https://github.com/vyos/vyos-1x/pull/1664

Viacheslav changed the task status from Open to Needs testing.Nov 18 2022, 8:40 PM
Viacheslav claimed this task.

@DerEnderKeks Could you check it in the next rolling release after 20221118?

DerEnderKeks added a comment.Nov 19 2022, 10:03 AM

It works as expected now on 1.4-rolling-202211190627, but my system failed to boot with the old key types in the config, so I had to remove them before switching to the new image. Thanks for the quick fix!

Error message with the old types in the config:

vyos-router[961]: Starting VyOS router: migrate configure
vyos-router[1980]:  failed!
vyos-config[972]: Configuration error
Viacheslav closed this task as Resolved.Nov 19 2022, 3:56 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.

Thanks
Don’t think that there should be a migration
As new keys were added several days ago.