search

cloudbase / cloudbase-init

Cross-platform instance initialization
http://openstack.org
Apache License 2.0
427 stars 150 forks source link

Support encrypting user password with ed25519 SSH keys #131

Open kallioli opened 7 months ago

kallioli commented 7 months ago

Hello,

When attempting to encrypt a user password with an Ed25519 SSH public key, we encountered the following error in the startup log:

2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init [-] plugin 'SetUserPasswordPlugin' failed with error 'Invalid SSH key': cloudbaseinit.utils.crypt.CryptException: Invalid SSH key
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init [-] Invalid SSH key: cloudbaseinit.utils.crypt.CryptException: Invalid SSH key
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init Traceback (most recent call last):
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init   File "C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\lib\site-packages\cloudbaseinit\init.py", line 67, in _exec_plugin
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init     shared_data)
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init   File "C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\lib\site-packages\cloudbaseinit\plugins\common\setuserpassword.py", line 131, in execute
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init     self._set_metadata_password(password, service)
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init   File "C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\lib\site-packages\cloudbaseinit\plugins\common\setuserpassword.py", line 64, in _set_metadata_password
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init     user_pwd_encryption_key, password)
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init   File "C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\lib\site-packages\cloudbaseinit\plugins\common\setuserpassword.py", line 35, in _encrypt_password
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init     with cm.load_ssh_rsa_public_key(ssh_pub_key) as rsa:
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init   File "C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\lib\site-packages\cloudbaseinit\utils\crypt.py", line 173, in load_ssh_rsa_public_key
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init     raise CryptException('Invalid SSH key')
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init cloudbaseinit.utils.crypt.CryptException: Invalid SSH key
2024-02-14 13:50:30.467 5192 ERROR cloudbaseinit.init

I believe the problem stems from the cryptography library used to encrypt passwords (in cloudbaseinit/utils/crypt.py), which does not support encryption methods for elliptic key formats (like Ed25519).

Are there any plans to add support for these formats in the future?

Thank you.

Do you plan in future adding support for theses format ?

ader1990 commented 6 months ago

Hello, the RSA backend implementation has the encrypt function in python cryptography https://github.com/pyca/cryptography/blob/main/src/rust/src/backend/rsa.rs#L446, whereas the Ed25519 does not https://github.com/pyca/cryptography/blob/main/src/rust/src/backend/ed25519.rs#L120.

More investigation is required to see how to implement this in a safe way. From the literature, the Ed25519 keys are used primarly for signing, not for encryption/decryption.

One way would be similar to this https://stackoverflow.com/questions/65684414/how-to-use-ssh-keygen-ed25519-keys-for-encryption-in-python.

@kallioli can you please provide the broader context for the feature and a decryption workflow that you are already using to make sure the Python implementation is compatible for encryption?

Thank you, Adrian Vladu

ale9412 commented 2 months ago

I am having the same issue using ECDSA with a curve P384