ssh: Use ed25519 algorithm instead ECDSA

praveenkumar · praveenkumar · commit 7bb32ee1e0a9 · 2024-08-20T04:48:08.000Z
Key generated using ecdsa algorithm is causing issue for podman remote connection on podman desktop side because the library they consume doesn't have support for this algorithm. This PR is switching the ecdsa to ed25519 with openssh type which is supported by the library consumed in podman desktop. [0] podman-desktop/podman-desktop#8351 [1] mscdex/ssh2#1375
diff --git a/pkg/crc/constants/constants.go b/pkg/crc/constants/constants.go
@@ -174,11 +174,11 @@ func EnsureBaseDirectoriesExist() error {
 }
 
 func GetPublicKeyPath() string {
-	return filepath.Join(MachineInstanceDir, DefaultName, "id_ecdsa.pub")
+	return filepath.Join(MachineInstanceDir, DefaultName, "id_ed25519.pub")
 }
 
 func GetPrivateKeyPath() string {
-	return filepath.Join(MachineInstanceDir, DefaultName, "id_ecdsa")
+	return filepath.Join(MachineInstanceDir, DefaultName, "id_ed25519")
 }
 
 func GetHostDockerSocketPath() string {
diff --git a/pkg/crc/ssh/client.go b/pkg/crc/ssh/client.go
@@ -50,6 +50,7 @@ func clientConfig(user string, keys []string) (*ssh.ClientConfig, error) {
 
 		privateKey, err := ssh.ParsePrivateKey(key)
 		if err != nil {
+			log.Debugf("Failed to parse private key: %v\n", err)
 			return nil, err
 		}
 
diff --git a/pkg/crc/ssh/keys.go b/pkg/crc/ssh/keys.go
@@ -3,10 +3,10 @@ package ssh
 import (
 	"bufio"
 	"bytes"
-	"crypto/ecdsa"
-	"crypto/elliptic"
+	"crypto"
+	"crypto/ed25519"
 	"crypto/rand"
-	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"os"
@@ -33,23 +33,23 @@ type KeyPair struct {
 // This will return a private & public key encoded as DER.
 func NewKeyPair() (keyPair *KeyPair, err error) {
 
-	priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
 	if err != nil {
 		return nil, ErrKeyGeneration
 	}
 
-	privDer, err := x509.MarshalPKCS8PrivateKey(priv)
+	privMar, err := gossh.MarshalPrivateKey(crypto.PrivateKey(priv), "")
 	if err != nil {
 		return nil, ErrPrivateKey
 	}
 
-	pubSSH, err := gossh.NewPublicKey(&priv.PublicKey)
+	pubSSH, err := gossh.NewPublicKey(pub)
 	if err != nil {
 		return nil, ErrPublicKey
 	}
 
 	return &KeyPair{
-		PrivateKey: privDer,
+		PrivateKey: pem.EncodeToMemory(privMar),
 		PublicKey:  gossh.MarshalAuthorizedKey(pubSSH),
 	}, nil
 }
diff --git a/pkg/crc/ssh/keys_test.go b/pkg/crc/ssh/keys_test.go
@@ -11,7 +11,7 @@ func TestNewKeyPair(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if privPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Headers: nil, Bytes: pair.PrivateKey}); len(privPem) == 0 {
+	if privPem := pem.EncodeToMemory(&pem.Block{Type: "OPENSSH PRIVATE KEY", Headers: nil, Bytes: pair.PrivateKey}); len(privPem) == 0 {
 		t.Fatal("No PEM returned")
 	}
 }
diff --git a/pkg/crc/ssh/keys_unix.go b/pkg/crc/ssh/keys_unix.go
@@ -4,7 +4,6 @@
 package ssh
 
 import (
-	"encoding/pem"
 	"os"
 )
 
@@ -17,7 +16,7 @@ func (kp *KeyPair) WriteToFile(privateKeyPath string, publicKeyPath string) erro
 	}{
 		{
 			File:  privateKeyPath,
-			Value: pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Headers: nil, Bytes: kp.PrivateKey}),
+			Value: kp.PrivateKey,
 		},
 		{
 			File:  publicKeyPath,
diff --git a/pkg/crc/ssh/keys_windows.go b/pkg/crc/ssh/keys_windows.go
@@ -1,7 +1,6 @@
 package ssh
 
 import (
-	"encoding/pem"
 	"os"
 
 	"github.com/hectane/go-acl"
@@ -35,7 +34,7 @@ func (kp *KeyPair) WriteToFile(privateKeyPath string, publicKeyPath string) erro
 	}{
 		{
 			File:  privateKeyPath,
-			Value: pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Headers: nil, Bytes: kp.PrivateKey}),
+			Value: kp.PrivateKey,
 		},
 		{
 			File:  publicKeyPath,

Original file line number	Diff line number	Diff line change
`@@ -174,11 +174,11 @@ func EnsureBaseDirectoriesExist() error {`
`174`	`174`	`}`
`175`	`175`
`176`	`176`	`func GetPublicKeyPath() string {`
`177`		`- return filepath.Join(MachineInstanceDir, DefaultName, "id_ecdsa.pub")`
	`177`	`+ return filepath.Join(MachineInstanceDir, DefaultName, "id_ed25519.pub")`
`178`	`178`	`}`
`179`	`179`
`180`	`180`	`func GetPrivateKeyPath() string {`
`181`		`- return filepath.Join(MachineInstanceDir, DefaultName, "id_ecdsa")`
	`181`	`+ return filepath.Join(MachineInstanceDir, DefaultName, "id_ed25519")`
`182`	`182`	`}`
`183`	`183`
`184`	`184`	`func GetHostDockerSocketPath() string {`
Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,7 @@ func clientConfig(user string, keys []string) (*ssh.ClientConfig, error) {`
`50`	`50`
`51`	`51`	`privateKey, err := ssh.ParsePrivateKey(key)`
`52`	`52`	`if err != nil {`
	`53`	`+ log.Debugf("Failed to parse private key: %v\n", err)`
`53`	`54`	`return nil, err`
`54`	`55`	`}`
`55`	`56`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ func TestNewKeyPair(t *testing.T) {`
`11`	`11`	`t.Fatal(err)`
`12`	`12`	`}`
`13`	`13`
`14`		`- if privPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Headers: nil, Bytes: pair.PrivateKey}); len(privPem) == 0 {`
	`14`	`+ if privPem := pem.EncodeToMemory(&pem.Block{Type: "OPENSSH PRIVATE KEY", Headers: nil, Bytes: pair.PrivateKey}); len(privPem) == 0 {`
`15`	`15`	`t.Fatal("No PEM returned")`
`16`	`16`	`}`
`17`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,6 @@`
`4`	`4`	`package ssh`
`5`	`5`
`6`	`6`	`import (`
`7`		`- "encoding/pem"`
`8`	`7`	`"os"`
`9`	`8`	`)`
`10`	`9`
`@@ -17,7 +16,7 @@ func (kp *KeyPair) WriteToFile(privateKeyPath string, publicKeyPath string) erro`
`17`	`16`	`}{`
`18`	`17`	`{`
`19`	`18`	`File: privateKeyPath,`
`20`		`- Value: pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Headers: nil, Bytes: kp.PrivateKey}),`
	`19`	`+ Value: kp.PrivateKey,`
`21`	`20`	`},`
`22`	`21`	`{`
`23`	`22`	`File: publicKeyPath,`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`package ssh`
`2`	`2`
`3`	`3`	`import (`
`4`		`- "encoding/pem"`
`5`	`4`	`"os"`
`6`	`5`
`7`	`6`	`"github.com/hectane/go-acl"`
`@@ -35,7 +34,7 @@ func (kp *KeyPair) WriteToFile(privateKeyPath string, publicKeyPath string) erro`
`35`	`34`	`}{`
`36`	`35`	`{`
`37`	`36`	`File: privateKeyPath,`
`38`		`- Value: pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Headers: nil, Bytes: kp.PrivateKey}),`
	`37`	`+ Value: kp.PrivateKey,`
`39`	`38`	`},`
`40`	`39`	`{`
`41`	`40`	`File: publicKeyPath,`