Page MenuHomePhabricator

authentication public-keys options quoting issue
Open, LowPublicBUG

Description

A number of sshd authorized_keys file options, such as "command", "environment", "expiry-time", and "from" (see man 8 sshd) require quoting around the value - i.e. an authorized_keys line beginning with from="192.168.0.10" works as intended but a line beginning with from=192.168.0.10 does not.

Unfortunately, using VyOS 1.1.8 (and, going by the git history at least, the same seems to be the case with current master) this fails because the configuration doesn't allow quotes.

jantman@apt-er01# set system login user jantman authentication public-keys jantman@phoenix.jasonantman.com options from='"192.168.0.24"'

  Cannot use the double quote (") character in a value string
  Value validation failed
  Set failed

jantman@apt-er01# set system login user jantman authentication public-keys jantman@phoenix.jasonantman.com options from="'192.168.0.24'"

  Cannot use the single quote (') character in a value string
  Value validation failed
  Set failed

[edit]
jantman@apt-er01# set system login user jantman authentication public-keys jantman@phoenix.jasonantman.com options from=\"192.168.0.24\"

  Cannot use the double quote (") character in a value string
  Value validation failed
  Set failed

[edit]

It would be very helpful if quoting was supported so that options like from worked, as there are cases such as automation and backups where I'd like to be able to limit certain SSH keys to only working from certain LAN hosts.

Details

Difficulty level
Unknown (require assessment)
Version
1.1.8
Why the issue appeared?
Will be filled on close

Event Timeline

jantman created this task.Nov 7 2018, 1:36 AM
syncer triaged this task as Low priority.Nov 7 2018, 8:16 AM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.1.x, VyOS 1.2 Crux.
syncer added subscribers: c-po, dmbaturin, syncer.

Don't think that adding key options ever was supported
@dmbaturin @c-po how you think we can address this?

I'm pretty sure it's supported, whether intentional or not... on 1.1.8 it's right in the tab completion, with help and all:

# set system login user jantman authentication public-keys jantman@phoenix.jasonantman.com 
Possible completions:
   key          Public key value (base64-encoded)
   options      Additional public key options
   type         Public key type

The options that don't require quoting work perfectly, and show up in the corresponding user's authorized_keys file as intended. The only issue is with the quoting - i.e. I can add an option of from=192.168.0.24 and it gets populated into the user's authorized_keys file perfectly... but OpenSSH doesn't recognize it without the quotes, and the vyos cfg system doesn't allow the quotes.

pasik added a subscriber: pasik.Mar 12 2019, 6:09 PM