Page MenuHomeVyOS Platform

authentication public-keys options quoting issue
Closed, ResolvedPublicBUG

Description

A number of sshd authorized_keys file options, such as "command", "environment", "expiry-time", and "from" (see man 8 sshd) require quoting around the value - i.e. an authorized_keys line beginning with from="192.168.0.10" works as intended but a line beginning with from=192.168.0.10 does not.

Unfortunately, using VyOS 1.1.8 (and, going by the git history at least, the same seems to be the case with current master) this fails because the configuration doesn't allow quotes.

jantman@apt-er01# set system login user jantman authentication public-keys jantman@phoenix.jasonantman.com options from='"192.168.0.24"'

  Cannot use the double quote (") character in a value string
  Value validation failed
  Set failed

jantman@apt-er01# set system login user jantman authentication public-keys jantman@phoenix.jasonantman.com options from="'192.168.0.24'"

  Cannot use the single quote (') character in a value string
  Value validation failed
  Set failed

[edit]
jantman@apt-er01# set system login user jantman authentication public-keys jantman@phoenix.jasonantman.com options from=\"192.168.0.24\"

  Cannot use the double quote (") character in a value string
  Value validation failed
  Set failed

[edit]

It would be very helpful if quoting was supported so that options like from worked, as there are cases such as automation and backups where I'd like to be able to limit certain SSH keys to only working from certain LAN hosts.

Details

Version
1.1.8
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

syncer triaged this task as Low priority.Nov 7 2018, 8:16 AM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.1.x, VyOS 1.2 Crux.
syncer added subscribers: c-po, dmbaturin, syncer.

Don't think that adding key options ever was supported
@dmbaturin @c-po how you think we can address this?

I'm pretty sure it's supported, whether intentional or not... on 1.1.8 it's right in the tab completion, with help and all:

# set system login user jantman authentication public-keys jantman@phoenix.jasonantman.com 
Possible completions:
   key          Public key value (base64-encoded)
   options      Additional public key options
   type         Public key type

The options that don't require quoting work perfectly, and show up in the corresponding user's authorized_keys file as intended. The only issue is with the quoting - i.e. I can add an option of from=192.168.0.24 and it gets populated into the user's authorized_keys file perfectly... but OpenSSH doesn't recognize it without the quotes, and the vyos cfg system doesn't allow the quotes.

erkin set Is it a breaking change? to Unspecified (possibly destroys the router).Sep 1 2021, 10:50 AM
erkin set Issue type to Bug (incorrect behavior).

I fixed this in https://github.com/vyos/vyos-1x/pull/995 but must not have updated this task to reflect that.

I believe this task can be marked as completed and closed now

Viacheslav assigned this task to plett.