Page MenuHomeVyOS Platform

Wrong key type is used for SSH SK public keys
Closed, ResolvedPublicBUG

Description

While setting up my FIDO keys for SSH access I noticed that I couldn't login after setting up a key with:

set system login user xxx authentication public-keys yubikey key '<public key>'
set system login user xxx authentication public-keys yubikey type 'ed25519-sk'

After checking what's generated into the authorized_keys file I noticed that the key was inserted with the type ed25519-sk while it should be [email protected], see https://man.openbsd.org/sshd_config#PubkeyAcceptedAlgorithms. This probably also affects the ecdsa variant.
Just to be sure I also manually corrected the type in the authorized_keys file, after which I could login just fine. It seems like the type used in the config is rendered literally into the keys file. Either the key type in the config needs to be renamed or the script has to do that while rendering.

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202211170318
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

I guess it was implemented in the T4750
Should be easy to fix

Viacheslav changed the task status from Open to Needs testing.Fri, Nov 18, 8:40 PM
Viacheslav claimed this task.

@DerEnderKeks Could you check it in the next rolling release after 20221118?

It works as expected now on 1.4-rolling-202211190627, but my system failed to boot with the old key types in the config, so I had to remove them before switching to the new image. Thanks for the quick fix!

Error message with the old types in the config:

vyos-router[961]: Starting VyOS router: migrate configure
vyos-router[1980]:  failed!
vyos-config[972]: Configuration error
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.

Thanks
Don’t think that there should be a migration
As new keys were added several days ago.