Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] salt-ssh generates salt-ssh.rsa even if a default priv is specified and is different #67117

Open
2 tasks done
timwhite opened this issue Dec 21, 2024 · 2 comments
Open
2 tasks done
Labels
Bug broken, incorrect, or confusing behavior needs-triage

Comments

@timwhite
Copy link

Description
salt-ssh generates salt-ssh.rsa key when first run, or when run later and the file doesn't exist. It ignores the priv setting in the master config for checking if it should generate the file. This forces a RSA key even if another key file exists already.

https://github.com/saltstack/salt/blob/master/salt/client/ssh/__init__.py#L314 is where priv is constructed, ignoring the roster_defaults and then a few lines later creating the "missing" file as a RSA key.

Setup
Debian package, LTS 3006

  • on-prem machine
  • classic packaging

config/master

root_dir: ./

file_roots:
  base:
    - ./srv/salt

pillar_roots:
  base:
    - ./srv/pillar

fileserver_backend:
  - roots

roster_defaults:
  priv: ./etc/salt/pki/master/ssh/salt-ssh.ed25519
  user: root

ssh_identities_only:  True
ssh_use_home_key: False

Steps to Reproduce the behavior
I can confirm that this config does use the correct SSH key (./etc/salt/pki/master/ssh/salt-ssh.ed25519) however it also creates ./etc/salt/pki/master/ssh/salt-ssh.rsa if it's missing, making it not clear that it's using the overridden key.

Expected behavior
Don't create ./etc/salt/pki/master/ssh/salt-ssh.rsa if the specified priv file exits. If it doesn't exist, it would be nice to create it with a key type other than RSA if this is easy enough to guess (like my example of ed25519 as the extension)

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)
Salt Version:
          Salt: 3006.9
 
Python Version:
        Python: 3.10.14 (main, Jun 26 2024, 11:44:37) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 1.16.0
      cherrypy: 18.6.1
  cryptography: 42.0.5
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.4
       libgit2: 1.7.1
  looseversion: 1.0.2
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 22.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.19.1
        pygit2: 1.14.0
  python-gnupg: 0.4.8
        PyYAML: 6.0.1
         PyZMQ: 23.2.0
        relenv: 0.17.0
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: debian 12 bookworm
        locale: utf-8
       machine: x86_64
       release: 6.1.0-26-amd64
        system: Linux
       version: Debian GNU/Linux 12 bookworm

Additional context
Running salt-ssh hostname -v -ltrace --state-verbose=False test.ping 2>&1 |grep 'Executing command' allows us to verify the SSH command being run. We can see the correct SSH command (e.g. [TRACE ] Executing command: /usr/bin/ssh 1.2.3.4 -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o Port=22 -o IdentityFile=./etc/salt/pki/master/ssh/salt-ssh.ed25519 -o User=root -o IdentitiesOnly=yes /bin/sh << 'EOF') using the specified keyfile, but the salt-ssh.rsa file has also been created.

@timwhite timwhite added Bug broken, incorrect, or confusing behavior needs-triage labels Dec 21, 2024
Copy link

welcome bot commented Dec 21, 2024

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!

@timwhite
Copy link
Author

This also breaks --key-deploy as the key deploy routine uses the get_pubkey function which ends up doing the same thing and only gives the RSA key

"ssh_priv", os.path.join(self.opts["pki_dir"], "ssh", "salt-ssh.rsa")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug broken, incorrect, or confusing behavior needs-triage
Projects
None yet
Development

No branches or pull requests

1 participant