deprecation/removal of ssh-rsa from PubKeyAcceptedTypes

[lsm5]

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

The podman team recently tried to build Fedora 33 Beta images for use in our CI and we noticed SSH refused to connect and the daemon logs complained about not finding ssh-rsa in PubKeyAcceptedTypes. And this went away after making the relevant change in /etc/crypto-policies/back-ends/opensshserver.config.

Looks like Fedora 33 has removed ssh-rsa by default, and it's quite likely that other distros will as well, if not already.

It would be nice to not depend on ssh-rsa going forward.

@cevich Please correct me if I got anything wrong ^ 😄

Potential References

containers/automation_images#26 (comment)

[cevich]

Suggestion: Add an ssh_keytype option to allow overriding the temporary key that packer generates. e.g. for the googlecompute builder or globally.

[SwampDragons]

Hi, thanks for reaching out! I agree that it's a good idea to add an option for telling Packer to generate a different key type.

We could probably do this now-ish for Packer with non-rsa type keys, for example ecdsa, and that may actually provide a workaround for users currently bitten by #8609 while we wait for the golang team find the time to look at golang/go#39885.

Meanwhile, I think you can work around this yourself by generating your own key and providing it to your builder using the ssh_private_key option

[cevich]

Great, thank for picking this up, and thanks for the suggested work-around. Unfortunately because of the way our specific setup works, it's more difficult to use a custom key. Allowing the less-secure ssh-rsa key was the simpler solution, and security is a relatively low-concern for our images. I doubt that's acceptable for other people though.

[azr]

Hello there, just to say we have binaries that handles this for GCP here.

You can now set the temporary_key_pair_type/temporary_key_pair_bits fields.

I'll leave this issue open until it's fixed for all builders.

[cevich]

Thanks!

[azr]

Hello there, I updated the binaries and the latest ones are here. Seems like to me we are going to keep these. 🙂

[cevich]

FWIW: I just encountered what appears to be the ssh-rsa problem on Ubuntu 20.10 (recently released).

We're not currently setup to install packer from other than the official site, and it seems circle-ci demands an oauth2 token to access the file. Any chance of having this change included in an official alpha/beta release I can point my scripts at?

[azr]

Hey @cevich, #10111 adds that feature for GCP, once it is merged you will be able to use the nightly build the day after it is merged, the PR looks like it's about to be merged so stay tuned ! 🙂

Also the upcoming release should be soon-ish.

[hswong3i]

The key is PubkeyAcceptedKeyTypes, see:

• https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/b298a9e1#49303b123e8d502a8711bccf3ba657fd55abe97c_5_3