Recue boot, cannot register more than 1 public key

ovh / manager

OVHcloud Control Panel

https://ovh.github.io/manager/

BSD 3-Clause "New" or "Revised" License

211 stars 95 forks source link

Recue boot, cannot register more than 1 public key #12402

Open 131 opened 1 month ago

131 commented 1 month ago

Have you already contacted our help centre?

[X] Yes, I have contacted the help centre.

Is there an existing issue for this?

[X] I have checked the existing issues

Describe the bug

On the manager , when configuring the rescue boot ssh-key, only the first key is used. (but the field is multi-line and is deceptive in this way) Using multiple keys allow me to register an OVH technician key in addition of my own

Steps To Reproduce

In the manager / dedicated server / rescue boot / configure 2 SSH key

Expected Behavior

The 2 public keys are present in /root/.ssh/authorized_keys, not only the 1st one.

What browsers are you using?

Firefox

Which devices are used?

Desktop

Additional information to add?

No response

JayBeeDe commented 1 month ago

@131 why do you need multiple SSH keys when booting into rescue ? Can you provide us more context ?

Joshua2504 commented 1 month ago

I'd like to see this too. Needed this recently.

JayBeeDe commented 1 month ago

I'm asking more context because I don't really understand the use case where you would need multiple SSH keys for a rescue. Indeed, the rescue is designed to be a toolbox for troubleshooting purposes, not to be a live system. That's why we are not going to implement such feature, direction is to patch the regex to forbid this hack.

Joshua2504 commented 1 month ago

It's just handy if you need to provide rescue access to more than 1 person/pubkey. But yes, to avoid confusion it's probably best to just remove the ability to provide more than one key.

131 commented 2 weeks ago

Using multiple keys allow me to register an OVH technician key in addition of my own. Or working on the rescue with a pair for auditing different parts/tests and work more efficiently.

This « 1key » restriction will force users(myself) towards non standards process (e.g generating temporary private keys and having to distribute them to collaborate on a rescue system)

Other than dedicated private keys, when working on systems, i consider « pools » of trusted keys (Layer 0 IT admins) with no distinctions between then rather than one specific « developper » key.

This is the fist API i see that restrict me to use « only one key » and maybe, if not found anywhere else, it might be because this design never proved its worth.