From 0ed366820cf36ac0f1fe61fb333e57943c6039b0 Mon Sep 17 00:00:00 2001 From: Kurt H Maier Date: Fri, 25 Mar 2022 10:24:23 -0700 Subject: [PATCH 1/4] plugins/credentials.pm: add ed25519 host key support --- xCAT-server/lib/xcat/plugins/credentials.pm | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/xCAT-server/lib/xcat/plugins/credentials.pm b/xCAT-server/lib/xcat/plugins/credentials.pm index 1d266bf47..0e9a2b0e7 100644 --- a/xCAT-server/lib/xcat/plugins/credentials.pm +++ b/xCAT-server/lib/xcat/plugins/credentials.pm @@ -216,6 +216,17 @@ sub process_request xCAT::MsgUtils->trace(0, 'E', "credentials: Unable to read private ECDSA key"); next; } + } elsif ($parm =~ /ssh_ed25519_hostkey/) { + xCAT::MsgUtils->trace(0, 'I', "credentials: sending $parm to $client"); + if (-r "/etc/xcat/hostkeys/$client/ssh_host_ed25519_key") { + $tfilename = "/etc/xcat/hostkeys/$client/ssh_host_ed25519_key"; + } elsif (-r "/etc/xcat/hostkeys/ssh_host_ed25519_key") { + $tfilename = "/etc/xcat/hostkeys/ssh_host_ed25519_key"; + } else { + push @{ $rsp->{'error'} }, "Unable to read private ed25519 key from /etc/xcat/hostkeys"; + xCAT::MsgUtils->trace(0, 'E', "credentials: Unable to read private ed25519 key"); + next; + } } elsif ($parm =~ /xcat_cfgloc/) { xCAT::MsgUtils->trace(0, 'I', "credentials: sending $parm to $client"); unless (-r "/etc/xcat/cfgloc") { From 8256685f8692dc99e4cca8575b4da68cf80799a3 Mon Sep 17 00:00:00 2001 From: Kurt H Maier Date: Fri, 25 Mar 2022 10:24:44 -0700 Subject: [PATCH 2/4] xcatconfig: add ed25519 host key support --- xCAT-server/sbin/xcatconfig | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/xCAT-server/sbin/xcatconfig b/xCAT-server/sbin/xcatconfig index f1b1c2a71..1d0b5877b 100755 --- a/xCAT-server/sbin/xcatconfig +++ b/xCAT-server/sbin/xcatconfig @@ -1011,6 +1011,21 @@ sub genSSHNodeHostKey else{ push @sshkeylist,"/etc/xcat/hostkeys/ssh_host_ecdsa_key"; } + + # see if this system supports the ed25519 + xCAT::Utils->runcmd('rm -rf /tmp/ed25519_key >/dev/null 2>&1 ; /usr/bin/ssh-keygen -t ed25519 -f /tmp/ed25519_key -P "" &>/dev/null', 0); + if ($::RUNCMD_RC == 0) { + xCAT::MsgUtils->message('I', "Generating SSH2 ed25519 Key..."); + $cmd = +"/usr/bin/ssh-keygen -t ed25519 -f /etc/xcat/hostkeys/ssh_host_ed25519_key -C '' -N ''"; + $outref = xCAT::Utils->runcmd("$cmd", 0); + if ($::RUNCMD_RC != 0) + { + xCAT::MsgUtils->message('E', "Could not generate SSH2 ed25519 key."); + } + else{ + push @sshkeylist,"/etc/xcat/hostkeys/ssh_host_ed25519_key"; + } } if(@sshkeylist){ From c2fdbd61b4cf4dc398cf499198d993b01e257b19 Mon Sep 17 00:00:00 2001 From: Kurt H Maier Date: Fri, 25 Mar 2022 10:39:29 -0700 Subject: [PATCH 3/4] postscripts/remoteshell: add support for ed25519 host keys --- xCAT/postscripts/remoteshell | 80 ++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/xCAT/postscripts/remoteshell b/xCAT/postscripts/remoteshell index 986c9344b..a5250d542 100755 --- a/xCAT/postscripts/remoteshell +++ b/xCAT/postscripts/remoteshell @@ -313,6 +313,86 @@ if ssh-keygen -t ecdsa -f /tmp/ecdsa_key -P "" &>/dev/null ; then rm /tmp/ssh_ecdsa_hostkey fi +# if node supports ed25519 host key then download the replacement from the MN/SN +# remove the /tmp/ed25519_key first, otherwise the "ssh-keygen" below might hang +# at waiting for user confirmation to overwritten the existing file +rm -rf /tmp/ed25519_key >/dev/null 2>&1 +if ssh-keygen -t ed25519 -f /tmp/ed25519_key -P "" &>/dev/null ; then + # download the host ed25519 key + if [ $useflowcontrol = "1" ]; then + #first contact daemon xcatflowrequest 3001 + logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001" + /$xcatpost/xcatflowrequest $master 3001 + rc=$? + logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc" + if [ $rc -ne 0 ]; then + logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control" + useflowcontrol=0 + fi + fi + + getcredentials.awk ssh_ed25519_hostkey | grep -E -v '|' | sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /tmp/ssh_ed25519_hostkey + + #check whether the message is an error or not + grep -E '' /tmp/ssh_ed25519_hostkey > /dev/null 2>&1 + if [ $? -ne 0 ]; then + #the message received is the data we request + cat /tmp/ssh_ed25519_hostkey | grep -E -v '|/{0,1}data>||' >/etc/ssh/ssh_host_ed25519_key + logger -t $log_label -p local4.info ssh_ed25519_hostkey + MYCONT=`cat /etc/ssh/ssh_host_ed25519_key` + MAX_RETRIES=10 + RETRY=0 + while [ -z "$MYCONT" ]; do + # not using flow control , need to sleep + if [ $useflowcontrol = "0" ]; then + let SLI=$RANDOM%10 + let SLI=SLI+10 + sleep $SLI + fi + RETRY=$(($RETRY+1)) + if [ $RETRY -eq $MAX_RETRIES ] + then + break + fi + if [ $useflowcontrol = "1" ]; then + #first contact daemon xcatflowrequest 3001 + logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001" + /$xcatpost/xcatflowrequest $master 3001 + rc=$? + logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc" + if [ $rc -ne 0 ]; then + logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control" + useflowcontrol=0 + fi + fi + + getcredentials.awk ssh_ed25519_hostkey | grep -v '<'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /etc/ssh/ssh_host_ed25519_key + MYCONT=`cat /etc/ssh/ssh_host_ed25519_key` + done + egrep -i "^ssh_keys:" /etc/group >/dev/null 2>&1 && chown root:ssh_keys /etc/ssh/ssh_host_ed25519_key 2>/dev/null && chmod 640 /etc/ssh/ssh_host_ed25519_key + if ! grep "PRIVATE KEY" /etc/ssh/ssh_host_ed25519_key > /dev/null 2>&1 ; then + rm /etc/ssh/ssh_host_ed25519_key + else + # Because of openssh version differs, provisioning errors may happen when MN support ed25519 while CN don't ed25519. + # Judge CN support ed25519 or not. "-t ed25519" indicate the key type, "-P "" " avoid hang-on and wait for input passphrase when CN don't support ed25519. + # If ture, means support ed25519, then generate corresponding key.pub. + # If false, remove ssh_host_ed25519_key useless file, to avoid future errors. + if ssh-keygen -t ed25519 -y -f /etc/ssh/ssh_host_ed25519_key -P "" &>/dev/null ; then + ssh-keygen -y -f /etc/ssh/ssh_host_ed25519_key -P "" > /etc/ssh/ssh_host_ed25519_key.pub + chmod 644 /etc/ssh/ssh_host_ed25519_key.pub + chown root /etc/ssh/ssh_host_ed25519_key.pub + else + rm -fr /etc/ssh/ssh_host_ed25519_key + fi + fi + else + #This is an error message + ERR_MSG=`sed -n 's%.*\(.*\).*%\1%p' /tmp/ssh_ed25519_hostkey` + logger -s -t $log_label -p local4.err Error: $ERR_MSG + fi + rm /tmp/ssh_ed25519_hostkey +fi + if [[ $NTYPE = service ]]; then mkdir -p /etc/xcat/hostkeys cp /etc/ssh/ssh* /etc/xcat/hostkeys/. From d03ef5f1a9fe1f89ed5fb42b447388e69e941f0b Mon Sep 17 00:00:00 2001 From: Kurt H Maier Date: Fri, 25 Mar 2022 10:39:45 -0700 Subject: [PATCH 4/4] postscripts/aixremoteshell: add support for ed25519 host keys --- xCAT/postscripts/aixremoteshell | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/xCAT/postscripts/aixremoteshell b/xCAT/postscripts/aixremoteshell index 1ba88e18c..5823d40a0 100755 --- a/xCAT/postscripts/aixremoteshell +++ b/xCAT/postscripts/aixremoteshell @@ -226,6 +226,27 @@ sub setupSSH `logger -t xcat -p local4.err $msg`; } } + + # is there is a ed25519 host key on the node, then get the one from the MN/SN + my $filename = "/etc/ssh/ssh_host_ed25519_key"; + if (-e $filename) { + my $response = &getresponse("ssh_ed25519_hostkey"); + if (defined($response)) { + my $fd; + &runcmd("mkdir -p /etc/ssh"); + open($fd, '>', $filename); + print $fd $response; + close($fd); + + # set the permissions + my $cmd = "chmod 600 $filename > /dev/null 2>&1"; + &runcmd($cmd); + } + else { + $msg = "aixremoteshell: Could not get ssh_host_ed25519_key file.\n"; + `logger -t xcat -p local4.err $msg`; + } + } if ($nodetype eq "service") { &runcmd("mkdir -p /etc/xcat/hostkeys; cp /etc/ssh/ssh* /etc/xcat/hostkeys/. > /dev/null 2>&1"); }