Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for ecdsa ssh keys #13327

Merged
merged 5 commits into from
Jan 11, 2024
Merged

Add support for ecdsa ssh keys #13327

merged 5 commits into from
Jan 11, 2024

Conversation

chrisroberts
Copy link
Member

Adds support for generating ecdsa ssh key pairs. This was prompted
by #13323 which raised the issue of ed25519 keys not being FIPS
compliant and causing connection issues. This PR adds a new option
to the ssh configuration providing the ability to specify a desired
key type:

Vagrant.configure("2") do |config|
  config.ssh.key_type = :ecdsa521
end

Some monkey patching to the net-ssh library is included with this
PR that will be removed once the modifications can be added upstream.

Fixes #13323

@chrisroberts
Fix autoload for Util::Keypair
4e61783
@chrisroberts
Add new key pair types
b934bd6 
Adds ECDSA key types (256, 384, and 521) to supported types that can be
generated for key replacement on guest.
@chrisroberts
Add key_type configuration option for ssh
443ff01 
Adds a new `key_type` option to the Vagrantfile ssh configuration. It
defaults to :auto which allows auto detection of key type to use.
Otherwise it can be set to an explicit type supported by Vagrant.
@chrisroberts
Use ssh key type defined by configuration
96f2039 
If key type is defined as :auto, detect best key type to use. If no
acceptable key type is detected as supported by the server, raise an
error. If unable to determine supported key types from the server,
fallback to original behavior of rsa type key.

If key type is defined as custom value, use that type if the server
supports it, or if the supported types cannot be read. Otherwise, raise
an error informing the user that the key type is not supported.
@chrisroberts
Patch net-ssh for ecdsa private keys
2d5c9c0 
This patches net-ssh so it will properly handle loading and using ecdsa
private keys. Patching is restricted to tested versions.
@chrisroberts chrisroberts merged commit 588d7ec into hashicorp:main Jan 11, 2024
12 checks passed
@chrisroberts chrisroberts deleted the ssh-ecdsa branch January 11, 2024 00:10
@ghalse ghalse mentioned this pull request Jan 11, 2024
Closed
@thepappas
Copy link

Thanks @chrisroberts. Greatly appreciate it!

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 11, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@allisonlarson allisonlarson allisonlarson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ubuntu Pro FIPS enablement breaks Vagrant-created ed25519 ssh keys
3 participants
@chrisroberts @thepappas @allisonlarson