adapter: use ECDSA keys for adapter instead of RSA

hashicorp / packer-plugin-ansible

Packer plugin for Ansible Provisioner

https://www.packer.io/docs/provisioners/ansible

Mozilla Public License 2.0

49 stars 35 forks source link

adapter: use ECDSA keys for adapter instead of RSA #162

Closed lbajolet-hashicorp closed 1 year ago

lbajolet-hashicorp commented 1 year ago

When using RSA keys, for some obscure reason, the SSH connection only accepts rsa-sha1 as the signature algorithm for the key, which is now unsupported in modern OpenSSH versions.

This causes problems when using Ansible in conjunction with the proxy adapter (the default), as Ansible uses `ssh' to connect, and in turn, rejects the connection unless users manually change their config to support this, or if they add extra options to Ansible in their templates to accept these insecure methods.

To fix this, we move to ECDSA keys for the Ansible adapter. We considered using ED25519, but these keys are only supported by SSH when using the native serialisation format, and not any of the PKCS variants, making it harder to serialise as we'd need to write our own serialisation method for this format, which is brittle at best.

Closes #69

lbajolet-hashicorp commented 1 year ago

Note: tested manually using a qemu builder, we can add acceptance tests later to make sure this works in various environments.

Template reference:

source "qemu" "test-ssh" {
  iso_url                  = "base_images/output-debian/packer-debian" # locally built image with a plain Debian
  iso_checksum             = "none"
  disk_image               = true
  ssh_username             = "debian"
  ssh_password             = "debian"
  cpu_model                = "host"
  output_directory         = "test_output"
  headless                 = true
  cpus                     = 4
  boot_wait                = "3s"
}

build {
  sources = ["qemu.test-ssh"]

  provisioner "ansible" {
    playbook_file = "playbook.yml"
  }
}

lbajolet-hashicorp commented 1 year ago

Update: added one more option for this, ssh_proxy_use_rsa. This lets users fallback to using RSA keys if for some reason the new default, ECDSA, is not supported by their local SSH version.

Tested on the same configuration as mentioned above, with ssh_proxy_use_rsa = true in the configs, and the following as local ssh config:

Host 127.0.0.1
      HostKeyAlgorithms +ssh-rsa
      PubkeyAcceptedKeyTypes +ssh-rsa

Without the ssh config setup, I do experience the ssh-rsa failure to authenticate, so I would think this does work as expected.

LKHN commented 1 year ago

in AlmaLinux OS, We really appreciate this patch. Since SHA1 is deprecated on AlmaLinux OS 9 and we had enable the SHA1 back as a workaround.

Thanks!