Bug 1824306
| Summary: | The use of RSA Public key authentication method in ssh leads to Failed to fetch key: key was 385 bytes | ||
|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Jaroslav Henner <jhenner> |
| Component: | Appliance | Assignee: | Joe Vlcek <jvlcek> |
| Status: | CLOSED DEFERRED | QA Contact: | Jaroslav Henner <jhenner> |
| Severity: | low | Docs Contact: | Red Hat CloudForms Documentation <cloudforms-docs> |
| Priority: | unspecified | ||
| Version: | 5.11.2 | CC: | abellott, dmetzger, obarenbo |
| Target Milestone: | GA | Keywords: | Reopened |
| Target Release: | cfme-future | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-22 13:39:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | Bug | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | CFME Core | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jaroslav Henner
2020-04-15 19:09:55 UTC
*** This bug has been marked as a duplicate of bug 1815568 *** From the BZ 815568: I think we figured this out together with Joe. The problem is that some part of the encryption tools is not supporting RSA for the SSH Pulic key authentication. Gems comming with cfme <= 5.11.4.2-1.el8cf.x86_64 seem to not handle neither the RSA nor the ed25519: # Before the fix: ## case when we have only the RSA-key: /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/authentication/ed25519_loader.rb:19:in `raiseUnlessLoaded': OpenSSH keys only supported if ED25519 is available (NotImplementedError) net-ssh requires the following gems for ed25519 support: * rbnacl (>= 3.2, < 5.0) * rbnacl-libsodium, if your system doesn't have libsodium installed. * bcrypt_pbkdf (>= 1.0, < 2.0) See https://github.com/net-ssh/net-ssh/issues/478 for more information Gem::LoadError : "rbnacl is not part of the bundle. Add it to your Gemfile." ## When ed25519 is available, there is slight difference in what is said: /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/authentication/ed25519_loader.rb:19:in `raiseUnlessLoaded': unsupported key type `ssh-ed25519' (NotImplementedError) net-ssh requires the following gems for ed25519 support: * rbnacl (>= 3.2, < 5.0) * rbnacl-libsodium, if your system doesn't have libsodium installed. * bcrypt_pbkdf (>= 1.0, < 2.0) See https://github.com/net-ssh/net-ssh/issues/478 for more information Gem::LoadError : "rbnacl is not part of the bundle. Add it to your Gemfile." # After the fix Gems comming with cfme-5.11.5.1-1.el8cf.x86_64 seem to not handle the RSA, but are ok with the ed25519. In my verification, I didn't create the ed25519 key, the RSA was used and failed thus I though this wasn't fixed. [root.Y ~]# appliance_console_cli --fetch-key X.X.X fetch encryption key Failed to fetch key: key was 385 bytes (Expected 32) Could not create encryption key (v2_key) In this case I would expect and appreciate an error message about the key is not of the type the tooling can handle (ed25519). When both (ed25519 and RSA) or just ed25519 Private and Public keys are present, the ed25519 is used and all goes fine. Note that it is good idea to NOT use the `--sshpassword` param of the command `appliance_console_cli` to not run into wrong conclusion that key have worked while only passphrase auth was used. |