Page MenuHomeVyOS Platform

commit-archive scp/sftp public key authentication
Closed, ResolvedPublicENHANCEMENT

Description

commit-archive uses curl for scp/sftp which supports ssh public key auth.
It should check for keys in ~/.ssh of user which is logged into config mode.
Theoretically we could just put the keypair into .ssh, but...

Trying this doesn't work.

vyos@vyos:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/vyos/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/vyos/.ssh/id_rsa.
Your public key has been saved in /home/vyos/.ssh/id_rsa.pub.
The key fingerprint is:
e6:cf:f4:7d:35:70:36:be:3d:29:83:f9:63:11:9c:d0 vyos@vyos
The key's randomart image is:
+---[RSA 2048]----+
|            .    |
|           . E   |
|            o .  |
|             = + |
|        S     * .|
|       o     . o.|
|        . . o . *|
|         + + * +o|
|          o +.=..|
+-----------------+
vyos@vyos:~$ cat .ssh/id
id_rsa      id_rsa.pub
vyos@vyos# set system config-management commit-archive location sftp://backup-vyos@foo.bar/

[edit]
vyos@vyos# commit
Archiving config...
  sftp://foo.bar/ curl: (51) SSL peer certificate or SSH remote key was not OK
The authenticity of host 'foo.bar' can't be established.
RSA key fingerprint is <redacted>.
Are you sure you want to continue connecting (yes/no) [Yes]? yes
curl: (67) Authentication failure

 Failed!
[edit]

This is because curl looks for id_dsa instead of rsa.

vyos@vyos# curl -g -v -T test sftp://backup-vyos@foo.bar/
(...)
* Using ssh public key file /home/vyos/.ssh/id_dsa.pub
* Using ssh private key file /home/vyos/.ssh/id_dsa
* SSH public key authentication failed: Unable to open public key file
(...)

Passing --key and --pubkey works.

vyos@vyos# curl -g -v -T test --key /home/vyos/.ssh/id_rsa --pubkey /home/vyos/.ssh/id_rsa.pub sftp://backup-vyos@foo.bar/~/
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.x.y.z...
* Connected to foo.bar (10.x.z.y) port 22 (#0)
* SSH MD5 fingerprint: <redacted>
* SSH host check: 0, key: <redacted>
* SSH authentication methods available: publickey,gssapi-keyex,gssapi-with-mic,password
* Using ssh public key file /home/vyos/.ssh/id_rsa.pub
* Using ssh private key file /home/vyos/.ssh/id_rsa
* Initialized SSH public key authentication
* Authentication complete
} [data not shown]
* We are completely uploaded and fine
100    10    0     0  100    10      0     19 --:--:-- --:--:-- --:--:--    19
100    10    0     0  100    10      0     19 --:--:-- --:--:-- --:--:--    19
* Connection #0 to host foo.bar left intact
[edit]

Also note the path is "/~/", this creates the file in the user's home directory. Just / doesn't mean user's home like in some other utilities, and /~ isn't enough. (this might be good to mention in the docs)

Perhaps an option "commit-archive location <location> auth publickey [type rsa|dsa|...]" should be added with the path defaulting to ~/.ssh/id_rsa{.pub}. Or maybe auth publickey /path/to/key with the user generating and storing keys in /config (don't know if it would be secure?)

vyatta-config-mgmt is still in Perl so would have to be rewritten according to the guidelines (this would be a major task for not much benefit)

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Related Objects

StatusSubtypeAssignedTask
In progressFEATURE REQUESTNone
ResolvedFEATURE REQUESTerkin
ResolvedENHANCEMENTerkin

Event Timeline

jjakob triaged this task as Wishlist priority.Jul 4 2019, 11:06 AM
jjakob created this task.
jjakob created this object in space S1 VyOS Public.
jjakob changed the subtype of this task from "Task" to "Enhancement".

Curl should only need the private key, since it will extract the public key from it on demand. In any case the private key should probably be password protected and then you'd need some way of prompting for the password and provide it to curl using the --pass parameter.

I don't really like the idea of putting a private key file on the machine in the first place, so I've experimented with using my forwarded SSH agent (ssh -A user@host) to do public key authentication.

set system config-management commit-archive location scp://user@backuphost:/~/vyos/

works just fine, with no key files in ~/.ssh/.

This works on v1.3+, but fails on v1.2, maybe due to older libssh2/curl.

However,

copy file running://config/config.boot to scp://user@backuphost:/~/

fails with this error

curl: (60) SSL peer certificate or SSH remote key was not OK
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Probably some extra parameters are getting added to the curl command line which confuses the ssh auth_type selection in curl.

Additionally, I've discovered that CURL uses libssh2 which doesn't support newer host keys (e.g. current default ed25519). Most hosts generate an RSA key as well, but using ssh to log into the remote host will, by default, only place the ed25519 host key in the authorized keys file. The following command:

ssh-keyscan <hostname> >>~/.ssh/known_hosts

Will download and store all of the relevant host keys and enable CURL to work as intended.

erkin claimed this task.
erkin added a subscriber: erkin.

commit-archive now uses Paramiko for SSH connections instead of curl and directly reads ~/.ssh/known_hosts if it exists.