You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
salt-ssh generates salt-ssh.rsa key when first run, or when run later and the file doesn't exist. It ignores the priv setting in the master config for checking if it should generate the file. This forces a RSA key even if another key file exists already.
Steps to Reproduce the behavior
I can confirm that this config does use the correct SSH key (./etc/salt/pki/master/ssh/salt-ssh.ed25519) however it also creates ./etc/salt/pki/master/ssh/salt-ssh.rsa if it's missing, making it not clear that it's using the overridden key.
Expected behavior
Don't create ./etc/salt/pki/master/ssh/salt-ssh.rsa if the specified priv file exits. If it doesn't exist, it would be nice to create it with a key type other than RSA if this is easy enough to guess (like my example of ed25519 as the extension)
Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)
Salt Version:
Salt: 3006.9Python Version:
Python: 3.10.14 (main, Jun 26 2024, 11:44:37) [GCC 11.2.0]Dependency Versions:
cffi: 1.16.0cherrypy: 18.6.1cryptography: 42.0.5dateutil: 2.8.1docker-py: Not Installedgitdb: Not Installedgitpython: Not InstalledJinja2: 3.1.4libgit2: 1.7.1looseversion: 1.0.2M2Crypto: Not InstalledMako: Not Installedmsgpack: 1.0.2msgpack-pure: Not Installedmysql-python: Not Installedpackaging: 22.0pycparser: 2.21pycrypto: Not Installedpycryptodome: 3.19.1pygit2: 1.14.0python-gnupg: 0.4.8PyYAML: 6.0.1PyZMQ: 23.2.0relenv: 0.17.0smmap: Not Installedtimelib: 0.2.4Tornado: 4.5.3ZMQ: 4.3.4System Versions:
dist: debian 12 bookwormlocale: utf-8machine: x86_64release: 6.1.0-26-amd64system: Linuxversion: Debian GNU/Linux 12 bookworm
Additional context
Running salt-ssh hostname -v -ltrace --state-verbose=False test.ping 2>&1 |grep 'Executing command' allows us to verify the SSH command being run. We can see the correct SSH command (e.g. [TRACE ] Executing command: /usr/bin/ssh 1.2.3.4 -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o Port=22 -o IdentityFile=./etc/salt/pki/master/ssh/salt-ssh.ed25519 -o User=root -o IdentitiesOnly=yes /bin/sh << 'EOF') using the specified keyfile, but the salt-ssh.rsa file has also been created.
The text was updated successfully, but these errors were encountered:
Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:
There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!
Description
salt-ssh generates
salt-ssh.rsa
key when first run, or when run later and the file doesn't exist. It ignores thepriv
setting in the master config for checking if it should generate the file. This forces a RSA key even if another key file exists already.https://github.com/saltstack/salt/blob/master/salt/client/ssh/__init__.py#L314 is where
priv
is constructed, ignoring theroster_defaults
and then a few lines later creating the "missing" file as a RSA key.Setup
Debian package, LTS 3006
config/master
Steps to Reproduce the behavior
I can confirm that this config does use the correct SSH key (
./etc/salt/pki/master/ssh/salt-ssh.ed25519
) however it also creates./etc/salt/pki/master/ssh/salt-ssh.rsa
if it's missing, making it not clear that it's using the overridden key.Expected behavior
Don't create
./etc/salt/pki/master/ssh/salt-ssh.rsa
if the specifiedpriv
file exits. If it doesn't exist, it would be nice to create it with a key type other than RSA if this is easy enough to guess (like my example of ed25519 as the extension)Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)Additional context
Running
salt-ssh hostname -v -ltrace --state-verbose=False test.ping 2>&1 |grep 'Executing command'
allows us to verify the SSH command being run. We can see the correct SSH command (e.g.[TRACE ] Executing command: /usr/bin/ssh 1.2.3.4 -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o Port=22 -o IdentityFile=./etc/salt/pki/master/ssh/salt-ssh.ed25519 -o User=root -o IdentitiesOnly=yes /bin/sh << 'EOF'
) using the specified keyfile, but thesalt-ssh.rsa
file has also been created.The text was updated successfully, but these errors were encountered: