Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Different modes for private/public keys with openssh_keypair #632

Open
lonix1 opened this issue Jun 26, 2023 · 11 comments
Open

Different modes for private/public keys with openssh_keypair #632

lonix1 opened this issue Jun 26, 2023 · 11 comments

Comments

@lonix1
Copy link

lonix1 commented Jun 26, 2023

SUMMARY

The openssh_keypair sets the same mode for both private and public keys.

So mode: '0600' will set that mode for both keys. Typically the private key has 600 and the public has 644 (if not, then ssh won't read it, so I need to add another task to fix the permissions).

ISSUE TYPE
  • Feature Idea
    Another attribute, e.g. mode_public, which sets the mode just for the public key.
COMPONENT NAME

openssh_keypair

ADDITIONAL INFORMATION

As above.

- community.crypto.openssh_keypair:
  type: ed25519
  path: /home/me/.ssh/id_ed25519_foo
  mode: '0600'
  mode_public: '0644'             # <------------------
@MarkusTeufelberger
Copy link
Contributor

Afair mode is inherited from the general set of parameters for file based modules. It might be better to remove mode completely and replace it with mode_private and mode_public (or similar) because only adding it for one of the two keys also seems not very intuitive especially if that one is left out.

@lonix1
Copy link
Author

lonix1 commented Jun 26, 2023

Agreed.

The breaking change may annoy some people though. Maybe a compromise:

  • mode: sets permissions for both keys
  • mode_private: sets permissions for just the private key
  • mode_public: sets permissions for just the public key

(And if you want, you could mark mode as deprecated, to be removed in a future version.)

@Ajpantuso
Copy link
Collaborator

It's not so simple to remove mode. You would end up affecting all the file parameters.

You can certainly keep mode and then override using mode_private and mode_public, but then again you could do the same thing by setting mode to the more restrictive of the two files and use a follow-up file task to update the public key mode.

I don't have a strong opinion about what the best interface for this is, but given this is cryptographic material we should be as safe as possible at the time of creation.

@MarkusTeufelberger
Copy link
Contributor

The follow-up task workaround would create idempotence issues. However, I'm not so sure about the initial statement here:

The openssh_keypair sets the same mode for both private and public keys.

By default, private keys are set to 600 and public keys to 644, so the mode attribute should not be necessary in the first place unless some other settings than those are intended. I would understand if you need different modes than 600 and 644, but the use case in the initial description would already work with:

- community.crypto.openssh_keypair:
    type: ed25519
    path: /home/me/.ssh/id_ed25519_foo

@Ajpantuso
Copy link
Collaborator

Ajpantuso commented Jun 26, 2023

Correct, using the follow-up task would trigger a change on every run.

And yes by default not setting mode will result in 0600 for the private key and 0644 for the public key.

I think the only case where you would want to set mode for this module is if you actually want the public key to be more restricted.

Setting the private key less restrictive historically would cause issues with ssh-keygen since OpenSSH requires that private keys be protected. So mode itself has always had limited functionality with this module.

@lonix1
Copy link
Author

lonix1 commented Jun 26, 2023

Sorry I'm not an insider, so some of this went over my head.

Are you saying that my problem is that I actually used mode in the first place? So if I want the 600/644 convention, I must not specify mode?

@lonix1
Copy link
Author

lonix1 commented Jun 26, 2023

Yes... just tested it. The trick is NOT to set mode to begin with. :-) Thanks.

It would probably help others if the the docs had a one liner on this.

@lonix1
Copy link
Author

lonix1 commented Jun 26, 2023

I tried to do a PR to add that to the docs, but for reasons I don't understand, mode doesn't appear in the source for that doc. (I just clicked the "edit" button, forked, and the file that I'm looking at doesn't have "mode".)

UPDATE: Aah, it's a template. Well I'm not a python dev, so can't really help here! 😄

@MarkusTeufelberger
Copy link
Contributor

MarkusTeufelberger commented Jun 26, 2023

This is already in there:

In the case a custom mode, group, owner, or other file attribute is provided it will be applied to both key files.

But yes, it might also help to document explicitly that by default 600/644 permissions will be applied. The documentation for mode and some other parameters comes from Ansible itself (https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/basic.py#L253-L261), I'd add the info down at "notes".

Edit: Here:

- In the case a custom O(mode), O(group), O(owner), or other file attribute is provided it will be applied to both key files.

@lonix1
Copy link
Author

lonix1 commented Jun 26, 2023

You are right! Sorry, missed that. I always look into the corresponding parameter row in the table.

@MarkusTeufelberger
Copy link
Contributor

Nah, it is kinda unintuitive sometimes. Thanks for helping out and working on a solution! :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants