Ubuntu
puppet package

No support for ed25519 keys in ssh_authorized_key resource type

  1. Trusty (14.04)
  2. Bug #1458084
Bug #1458084 reported by Hadmut Danisch
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
puppet (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Won't Fix
Medium
Unassigned

Bug Description

Hi,

when using a ssh_authorized_key resource to install public keys in the authorized_keys files, it works with rsa, but not with ed25519 keys:

Error: Failed to apply catalog: Parameter type failed on Ssh_authorized_key[root-hadmut-ed25519@home]: Invalid value "ssh-ed25519". Valid values are ssh-dss, ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. at /etc/puppet/modules/hadmut/manifests/server/netzdienste/sshd.pp:141
Wrapped exception:
Invalid value "ssh-ed25519". Valid values are ssh-dss, ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521.

The nist curves are considered insecure . Puppet should be able to install keys that are still seen as secure.

regards

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: puppet (not installed)
ProcVersionSignature: Ubuntu 3.13.0-53.88-generic 3.13.11-ckt19
Uname: Linux 3.13.0-53-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.14.1-0ubuntu3.10
Architecture: amd64
CurrentDesktop: XFCE
Date: Sat May 23 01:23:28 2015
InstallationDate: Installed on 2014-08-06 (289 days ago)
InstallationMedia: Ubuntu-Server 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.3)
SourcePackage: puppet
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Hadmut Danisch (hadmut) wrote :
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Looks like support for ed25519 was added upstream in puppet 3.5.0. Ubuntu 14.04 shipped with 3.4.3, so does not currently have this support. Ubuntu 14.10 shipped with 3.6.1 and looking at the source I it looks like support for ed25519 is present.

I'm marking this bug as Fix Released as it was fixed in Ubuntu 14.10. I'll ask the security team whether an update to Ubuntu 14.04 is appropriate.

Changed in puppet (Ubuntu):
status: New → Fix Released
summary: - puppet outdated: can't install ed25519 ssh-key
+ No support for ed25519 keys in ssh_authorized_key resource type
Revision history for this message
Robie Basak (racb) wrote :

https://github.com/puppetlabs/puppet/commit/b69a3e2f42bd2c201ee4722f8f2d9c7da1d0f05b looks like a relevant upstream commit, although the review comments there suggest to me that it might not be the only commit required. Needs further investigation.

Revision history for this message
Robie Basak (racb) wrote :

12:55 <rbasak> Is bug 1458084 appropriate for a security update or (presumably more appropriate) an SRU on security grounds?
13:20 <mdeslaur> I think it's SRU worthy

Changed in puppet (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → Medium
Joshua Powers (powersj)
Changed in puppet (Ubuntu Trusty):
assignee: nobody → Joshua Powers (powersj)
status: Triaged → In Progress
Joshua Powers (powersj)
Changed in puppet (Ubuntu Trusty):
assignee: Joshua Powers (powersj) → nobody
Revision history for this message
Bryce Harrington (bryce) wrote :

[Standard support has ended for Trusty]

Changed in puppet (Ubuntu Trusty):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.