search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
18.07k stars 5.52k forks source link

Argo CD doesn't support a private key with passphrase #1894

Open takuan-osho opened 5 years ago

takuan-osho commented 5 years ago

Describe the bug

I tried to add my private git repository to Argo CD with SSH private key credential.

However, Argo CD CLI invoked some error like this.

$ argocd repo add git@github.com:<my private repository> --ssh-private-key-path ~/.ssh/id_rsa
FATA[0000] ssh: cannot decode encrypted private keys

It seems that this ssh: cannot decode encrypted private keys came from golang.org/x/crypto/ssh package.

golang/x/crypto/ssh package has a function for dealing with a private key with passphrase like this, but it seems that Argo CD codes don't use it.

To Reproduce

  1. Prepare for an SSH private key with a passphrase
  2. Try to add git repository with the private key like this.
argocd repo add git@github.com:<my private repository> --ssh-private-key-path <path/to/the private key>
  1. Then you will see some errors like this.
FATA[0000] ssh: cannot decode encrypted private keys

Expected behavior Argo CD CLI add the git repository with no errors.

Version

argocd: v1.0.2+e0bd546.dirty
  BuildDate: 2019-06-14T17:15:36Z
  GitCommit: e0bd546a07818ec06a27c2b3033454e3eb1c4152
  GitTreeState: dirty
  GoVersion: go1.11.4
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v1.0.2+e0bd546.dirty
  BuildDate: 2019-06-14T17:15:03Z
  GitCommit: e0bd546a07818ec06a27c2b3033454e3eb1c4152
  GitTreeState: dirty
  GoVersion: go1.11.4
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: 0.13.1

Have you thought about contributing a fix yourself?

I tried to fix this issue, but code base of Argo CD is complicated for me.

alexmt commented 5 years ago

Working on it

takuan-osho commented 5 years ago

@alexmt FYI: According to https://github.com/golang/go/issues/18692, golang/x/crypto/ssh itself doesn't support encrypted private key with passphrase.

It seems difficult to fix this issue with only using golang/x/crypto/ssh package.

As a workaround, some person suggested a 3rd party package for supporting openssh-key-v1 format key.

takuan-osho commented 5 years ago

As far as I investigated, a SSH private key generated by newer OpenSSH without -m pem option has a newer format which is not supported by golang/x/crypto/ssh.

$ ssh -V
OpenSSH_7.9p1, LibreSSL 2.7.3

$ ssh-keygen -t rsa -b 4096 -C "shimizu.taku@gmail.com" -f keytest.pem -m pem
# This keytest.pem with passphrase can be parsed by ssh.ParsePrivateKeyWithPassphrase function

$ ssh-keygen -t rsa -b 4096 -C "shimizu.taku@gmail.com" -f keytest2.pem
# This keytest2.pem with passphrase cannot be parsed by ssh.ParsePrivateKeyWithPassphrase function
alexmt commented 5 years ago

Thank you for the information, @takuan-osho ! I was waiting fo PR1807 to get merged before start working on this ticket. Will try to use your advice tomorrow and will update ticket with my findings.

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

FredM commented 4 years ago

I stumbled on that issue today. Any news on it?

po3rin commented 4 years ago

@FredM

This probrems depends on x/crypto/ssh package. latest x/crypto/ssh has already supported Private key with passphrase in OpenSSH format.

Master branch has already depended on corrected x/crypto/ssh version, so it should work correctly in master.

// go.mod in master branch

// ...
golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
// ...

But, latest version ArgoCD v1.6.1 does not follow fixed version.

// go.mod in release 1.6.1

// ...
golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586
// ...

Maybe it will work correctly in the next release.

SayakMukhopadhyay commented 4 years ago

The argocd codebase still uses the ParsePrivateKey method (https://github.com/argoproj/argo-cd/blob/master/util/git/client.go#L193) so I believe this feature won't work yet. It needs to use the ParsePrivateKeyWithPassphrase method of the crypto library.

shambhand commented 3 years ago

I am also stumbled on this issue today. Any news on it?

kerthcet commented 3 years ago

any solution? ping the issue.

chetniks commented 2 years ago

I am still having this issue. Any news ?

camba1 commented 2 years ago

Any news on this front? Thanks!

kerthcet commented 2 years ago

The argocd codebase still uses the ParsePrivateKey method (https://github.com/argoproj/argo-cd/blob/master/util/git/client.go#L193) so I believe this feature won't work yet. It needs to use the ParsePrivateKeyWithPassphrase method of the crypto library.

refer to the solution this week if I have time.

hilmialf commented 2 years ago

I am wondering if there is any update on this?

shurkanTwo commented 2 years ago

I would also like to know if there has been any progress?

Talador12 commented 2 years ago

This is still a good addition that should be made to ArgoCD

andrii-korotkov-verkada commented 2 weeks ago

According to https://github.com/golang/go/issues/18692, there might have been some progress in adding the support. We might want to revisit this.

andrii-korotkov-verkada commented 1 week ago

I still see ParsePrivateKey being used https://github.com/argoproj/argo-cd/blob/e8d52650b1599e22feadfdf093c20e846a9b2e5b/util/git/client.go#L267.

I can try to fix this, but ParsePrivateKeyWithPassphrase requires an additional parameter passphrase. Where can I get a proper value?