Page MenuHomeVyOS Platform

commit-archive scp/sftp public key authentication
Open, WishlistPublicENHANCEMENT

Description

commit-archive uses curl for scp/sftp which supports ssh public key auth.
It should check for keys in ~/.ssh of user which is logged into config mode.
Theoretically we could just put the keypair into .ssh, but...

Trying this doesn't work.

vyos@vyos:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/vyos/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/vyos/.ssh/id_rsa.
Your public key has been saved in /home/vyos/.ssh/id_rsa.pub.
The key fingerprint is:
e6:cf:f4:7d:35:70:36:be:3d:29:83:f9:63:11:9c:d0 vyos@vyos
The key's randomart image is:
+---[RSA 2048]----+
|            .    |
|           . E   |
|            o .  |
|             = + |
|        S     * .|
|       o     . o.|
|        . . o . *|
|         + + * +o|
|          o +.=..|
+-----------------+
vyos@vyos:~$ cat .ssh/id
id_rsa      id_rsa.pub
vyos@vyos# set system config-management commit-archive location sftp://backup-vyos@foo.bar/

[edit]
vyos@vyos# commit
Archiving config...
  sftp://foo.bar/ curl: (51) SSL peer certificate or SSH remote key was not OK
The authenticity of host 'foo.bar' can't be established.
RSA key fingerprint is <redacted>.
Are you sure you want to continue connecting (yes/no) [Yes]? yes
curl: (67) Authentication failure

 Failed!
[edit]

This is because curl looks for id_dsa instead of rsa.

vyos@vyos# curl -g -v -T test sftp://backup-vyos@foo.bar/
(...)
* Using ssh public key file /home/vyos/.ssh/id_dsa.pub
* Using ssh private key file /home/vyos/.ssh/id_dsa
* SSH public key authentication failed: Unable to open public key file
(...)

Passing --key and --pubkey works.

vyos@vyos# curl -g -v -T test --key /home/vyos/.ssh/id_rsa --pubkey /home/vyos/.ssh/id_rsa.pub sftp://backup-vyos@foo.bar/~/
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.x.y.z...
* Connected to foo.bar (10.x.z.y) port 22 (#0)
* SSH MD5 fingerprint: <redacted>
* SSH host check: 0, key: <redacted>
* SSH authentication methods available: publickey,gssapi-keyex,gssapi-with-mic,password
* Using ssh public key file /home/vyos/.ssh/id_rsa.pub
* Using ssh private key file /home/vyos/.ssh/id_rsa
* Initialized SSH public key authentication
* Authentication complete
} [data not shown]
* We are completely uploaded and fine
100    10    0     0  100    10      0     19 --:--:-- --:--:-- --:--:--    19
100    10    0     0  100    10      0     19 --:--:-- --:--:-- --:--:--    19
* Connection #0 to host foo.bar left intact
[edit]

Also note the path is "/~/", this creates the file in the user's home directory. Just / doesn't mean user's home like in some other utilities, and /~ isn't enough. (this might be good to mention in the docs)

Perhaps an option "commit-archive location <location> auth publickey [type rsa|dsa|...]" should be added with the path defaulting to ~/.ssh/id_rsa{.pub}. Or maybe auth publickey /path/to/key with the user generating and storing keys in /config (don't know if it would be secure?)

vyatta-config-mgmt is still in Perl so would have to be rewritten according to the guidelines (this would be a major task for not much benefit)

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

jjakob triaged this task as Wishlist priority.Jul 4 2019, 11:06 AM
jjakob created this task.
jjakob created this object in space S1 VyOS Public.
jjakob changed the subtype of this task from "Task" to "Enhancement".