Project

General

Profile

Actions

action #160739

open

Support ssh keys with special characters like `@` in the name in our infrastructure size:S

Added by nicksinger 6 months ago. Updated 6 months ago.

Status:
Workable
Priority:
Normal
Assignee:
-
Category:
Feature requests
Target version:
Start date:
2024-05-22
Due date:
% Done:

0%

Estimated time:
Tags:

Description

Observation

In https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/815 and with the following deployment job, we had to realize that currently we're affected by https://github.com/saltstack/salt/issues/61299 :

ada.qe.prg2.suse.org:
----------
          ID: ph03nix
    Function: ssh_auth.present
        Name: sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDF+5kEasMGxX9q6WERpGPOeQGB0j681GMMkRRWo/fg2AAAABHNzaDo= phoenix@racetrack-7290-nitrokey
      Result: False
     Comment: Invalid public ssh key, most likely has spaces or invalid syntax
     Started: 14:36:03.312924
    Duration: 1.374 ms
     Changes:   
----------
          ID: ph03nix
    Function: ssh_auth.present
        Name: sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDeAIjDQ36FJux7JK3vygkWJ5K5/FHUuvPDxRsOnmEC5AAAABHNzaDo= phoenix@racetrack-7290-yk5
      Result: False
     Comment: Invalid public ssh key, most likely has spaces or invalid syntax
     Started: 14:36:03.315261
    Duration: 1.349 ms
     Changes:   
Summary for ada.qe.prg2.suse.org
--------------
Succeeded: 257
Failed:      2
--------------
Total states run:     259
Total run time:    11.519 s
ada.qe.prg2.suse.org:
    Error: ssh_auth.present

We had to revert this for now: https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/816

Acceptance criteria

  • AC1: No more invalid key errors despite keys called like sk-ssh-ed25519@openssh.com

Suggestions

  • I think the best we can currently do is either provide an upstream fix or workaround it in our states. For a workaround I would try to simply append each value of pub_ssh_key per user (similar to how we do it with other files).
    • Or provide the workaround and just propese an upstream fix - don't worry about packaging etc here
    • Tell the team what this is and why you might want it
Actions #1

Updated by mkittler 6 months ago

  • Tags set to infra
  • Category set to Feature requests
  • Target version set to Ready
Actions #2

Updated by livdywan 6 months ago

  • Subject changed from Implement workaround for https://github.com/saltstack/salt/issues/61299 / Support for modern ssh keys in our infrastructure to Support ssh keys with special characters like `@` in the name in our infrastructure size:S
  • Description updated (diff)
  • Status changed from New to Workable
Actions #3

Updated by ybonatakis 6 months ago

  • Status changed from Workable to In Progress
  • Assignee set to ybonatakis
Actions #5

Updated by openqa_review 6 months ago

  • Due date set to 2024-06-11

Setting due date based on mean cycle time of SUSE QE Tools

Actions #6

Updated by ybonatakis 6 months ago

  • Due date deleted (2024-06-11)

I tried to reproduce the problem from https://github.com/saltstack/salt/issues/61299. I didnt encounter any problem. The branch shows salt version 3007.1+208.gaaad0d2ecf while OSD shows 3006.0 for all hosts.

Actions #7

Updated by ybonatakis 6 months ago

  • Status changed from In Progress to Feedback

There is https://build.opensuse.org/request/show/1177117, created 27/05 but it doesnt update to 3007.1 (latest upstream version) and doesnt look like to include any fix for that particular problem. Maybe we could patch the package or update it once this update is released?!

Actions #8

Updated by nicksinger 6 months ago

  • Status changed from Feedback to Workable

My main point here was not to wait for upstream to fix it but rather do it our self. We have two options for this:

  1. Implement the fix upstream as the still open ticket doesn't look like this got ever solved
  2. Implement a workaround (as described in the initial ticket)
Actions #9

Updated by ybonatakis 6 months ago

nicksinger wrote in #note-8:

My main point here was not to wait for upstream to fix it but rather do it our self. We have two options for this:

  1. Implement the fix upstream as the still open ticket doesn't look like this got ever solved

the ticket is still open, but I couldnt reproduce the problem from their main branch. Thats why I said to a possibility could be to update the package to 3007.1

  1. Implement a workaround (as described in the initial ticket) This is something I am not sure how to do. I went through the documentation but I am still not sure where this should be applied and how everything(pillars, salt etc) comes together
Actions #10

Updated by livdywan 6 months ago

Suggested plan of action:

  • Try and submit a new package to factory
  • Otherwise we can still implement the work-around
Actions #11

Updated by okurz 6 months ago

  • Assignee deleted (ybonatakis)
  • Target version changed from Ready to future

Suggested plan of action:

  • Try and submit a new package to factory

That's not so easy because there is no new package yet in the development project https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt and likely with 100+ patches updating to the new upstream 3007 is far from easy so outside the scope of this ticket.

  • Otherwise we can still implement the work-around

Yes, we can try to replace ssh_auth.present with line.managed or something if it's really not more than that. But I see too little RoI for now. Removing the ticket from the backlog.

Actions

Also available in: Atom PDF