temporary_key_pair_type is ignored, RSA is always used

[sbraz]

Overview of the Issue

Hi,
I noticed that building an image with OpenStack and a non-default (i.e. non-RSA) temporary SSH key type is not possible.

Reproduction Steps

To reproduce, one can simply attempt to build an image with a buildfile containing "temporary_key_pair_type": "ed25519" (the value seems to be entirely ignored, it could be "ecdsa" or even "foobar").

Plugin and Packer version

Packer v1.7.8 (installed via apt from the official repo).

Simplified Packer Buildfile

{
  "builders": [
    {
      "flavor": "xx",
      "image_name": "fedora35_test",
      "name": "builder",
      "networks": "xxx-xxx",
      "source_image_name": "Fedora 35",
      "ssh_clear_authorized_keys": "true",
      "ssh_ip_version": "4",
      "ssh_username": "fedora",
      "temporary_key_pair_type": "ed25519",
      "type": "openstack"
    }
  ]
}

Operating system and Environment details

Debian 11.

Log Fragments and crash.log files

From the Packer log:

==> builder: Created temporary keypair: packer_61c5efec-a241-87f9-0f96-ae9c43f3e468                                                                                                     
    builder: Saving key for debug purposes: os_builder.pem                                                                                                                              

If I dump the key, it clearly is an RSA key:

$ head -n1 os_builder.pem 
-----BEGIN RSA PRIVATE KEY-----

More logs from Packer:

2021/12/24 16:09:09 packer-builder-openstack plugin: [DEBUG] Detected address: w.x.y.z                                                                                            
2021/12/24 16:09:09 packer-builder-openstack plugin: [DEBUG] Using IP address w.x.y.z to connect                                                                                  
2021/12/24 16:09:09 packer-builder-openstack plugin: [INFO] Attempting SSH connection to w.x.y.z:22...                                             
2021/12/24 16:09:09 packer-builder-openstack plugin: [DEBUG] reconnecting to TCP connection for SSH                                                                                     
2021/12/24 16:09:09 packer-builder-openstack plugin: [DEBUG] handshaking with SSH                                                                                                       
2021/12/24 16:09:09 packer-builder-openstack plugin: [DEBUG] SSH handshake err: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported met
hods remain                                                                                                                                                                             
2021/12/24 16:09:09 packer-builder-openstack plugin: [DEBUG] Detected authentication error. Increasing handshake attempts.                                                              

Because OpenSSH can use the right key exchange algorithm, I'm able to SSH onto the server and check its logs with ssh -l fedora -i os_builder.pem w.x.y.z journalctl -u sshd.
This shows Dec 24 16:09:23 fedora35-test sshd[897]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth].

I have noticed a similar issue for the Amazon builder: hashicorp/packer-plugin-amazon#144

It would be great to see this fixed because it is really problematic when dealing with modern images such as Fedora 35.

[andybotting]

I encountered this issue today, and looked into it.

As @sbraz stated, the docs suggest "temporary_key_pair_type": "ed25519" should be a valid option, but in fact, it's not actually wired up - or even supported by the OpenStack API.

If you look at the Amazon builder at https://github.com/hashicorp/packer-plugin-amazon/blob/main/builder/common/step_key_pair.go#L69 you can see the SSHTemporaryKeyPairType value is passed through to the Amazon API.

Compare that to the OpenStack builder https://github.com/hashicorp/packer-plugin-openstack/blob/main/builder/openstack/step_key_pair.go#L73 only the name is passed through, not the type.

If you look at the OpenStack GO SDK at https://github.com/gophercloud/gophercloud/blob/master/openstack/compute/v2/extensions/keypairs/requests.go#L84 you can see that it only supports a type of either ssh or x509. So it looks like OpenStack itself doesn't support specific types of SSH key. I haven't found a bug report about that yet.

To fix this issue, I think the right approach would be to have packer generate the SSH key itself rather than just passing it off to the API to do that. Packer would then have complete control of the process and upload the keypair to OpenStack.

Also the docs need to be fixed as they are plain wrong. Looking at https://github.com/hashicorp/packer-plugin-openstack/blob/main/docs/builders/openstack.mdx, it seems that the communicator options are generated from some common source, so I'm not sure it's straightforward to fix that.

[Azzore]

@andybotting
Hey, tried what you suggested in #60 using common StepSSHKeyGen.

To fix this issue, I think the right approach would be to have packer generate the SSH key itself rather than just passing it off to the API to do that. Packer would then have complete control of the process and upload the keypair to OpenStack.

[andybotting]

@Azzore This looks great 💯