CentOS 6: check_cmd broken/unsupported key type ed25519

[0xf10e]

While testing #97 I've noticed the check_cmd fails on CentOS 6:

[root@centos6minion ~]# tail -n 5 /var/log/salt/minion                                                                                                                                         
2017-06-22 02:30:33,752 [salt.state       ][INFO    ][4647] File /etc/ssh/ssh_config is in the correct state
2017-06-22 02:30:33,753 [salt.state       ][INFO    ][4647] Completed state [/etc/ssh/ssh_config] at time 02:30:33.752483
2017-06-22 02:40:47,330 [salt.loaded.int.module.cmdmod              ][ERROR   ][5092] Command '/usr/sbin/sshd -t -f /tmp/tmptj9aZz' failed with return code: 1
2017-06-22 02:40:47,331 [salt.loaded.int.module.cmdmod              ][ERROR   ][5092] output: /tmp/tmptj9aZz: Permission denied
2017-06-22 02:40:47,332 [salt.state                                 ][ERROR   ][5092] check_cmd execution failed
[root@centos6minion ~]# ls -l /tmp/tmpP4oYT8
-rw-r--r--. 1 root root 4479 Jun 22 02:49 /tmp/tmpP4oYT8

The "Permission denied" error is pretty strange, could even be a bug in CentOS 6's python (see versions-report below). But I have another concern: When I run the check manually there's the problem with missing hostkeys

[root@centos6minion ~]# sshd -t -f /tmp/tmpP4oYT8
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Could not load host key: /etc/ssh/ssh_host_ed25519_key

While one can manually generate an ECDSA hostkey, ED25519 keys are not supported on CentOS 6:

[root@centos6minion ~]# ssh-keygen -t ed25519
unknown key type ed25519

Removing 'ed25519' from openssh/config.sls doesn't help as the check_cmd still fails with this "Permission denied" error. Though the SSH-server actually starts when a host key listed in its config is missing (tested by removing the check_cmd line from openssh/config.sls).

PS: Versions-report and pillar data:

[root@centos6minion ~]# salt-call --versions-report                                            
           Salt: 2015.5.10                                                                     
         Python: 2.6.6 (r266:84292, Aug 18 2016, 15:13:37)                                     
         Jinja2: 2.2.1                         
       M2Crypto: 0.20.2
 msgpack-python: 0.4.6
   msgpack-pure: Not Installed
       pycrypto: 2.0.1
        libnacl: Not Installed
         PyYAML: 3.10
          ioflo: Not Installed
          PyZMQ: 14.3.1
           RAET: Not Installed
            ZMQ: 3.2.5
           Mako: Not Installed
        Tornado: Not Installed
        timelib: Not Installed
       dateutil: Not Installed
[root@centos6minion ~]# salt-call pillar.items
local:
    ----------
    __formulas:
        ----------
        print_template_url:
            True
    openssh-formula:
        ----------
        print_template_url:
            None
    salt:
        ----------
        minion:
            ----------
            master:
                192.168.178.64
    ssh_config:
        ----------
        SendEnv:
            LANG LC_* EDITOR EMAIL GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME VISUAL
    sshd_config:
        ----------
        AcceptEnv:
            LANG LC_* EDITOR EMAIL GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME VISUAL
        PrintMotd:
            yes

[javierbertoli]

I think the issue is probably in this line which sets the default keys to generate if no keys are specified and you're right, Centos6 does not support ED25519.

Perhaps a better approach would be to set these defaults in an osfingermap.yaml file (like here) instead of forcing these defaults in the template itself.

As a temporary fix, you can set the parameter HostKey in your pillar.

[aboe76]

@javierbertoli I think you are right the the osfingermap.yaml but it should be extended
not only to the 'KeyType' in the config.sls but also the 'HostKey' in the sshd_config jinja template.
preferable they should be linked so if you update the KeyType to include a ed25519 key it should also update the sshd_config file to include it.

[hudecof]

does anybody has fix for this ?

[kadogo]

Same issue with Debian Jessie.

I need to add the older Hostkey to make ssh work again

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

[alxwr]

@javierbertoli @aboe76 @hudecof @kadogo I'll try to come up with a PR in the next two or three weeks. :-) (Sry, times are busy.)

If you could provide me with a list of ciphers (rsa/dsa/...) your distribution(s) accept, need and reject, that would help a lot. Thanks in advance!

[alxwr]

@javierbertoli @aboe76 osfingermap.yaml it is, but I'll try to use strong defaults as much as possible, meaning that I'll only weaken the ciphers when the distribution requires that.

[aboe76]

@alxwr no problem osfingermap.yaml hopefully the supported ciphers are easy to find.

[javierbertoli]

@alxwr perhaps this article helps? https://infosec.mozilla.org/guidelines/openssh

[alxwr]

@javierbertoli Thanks!

[alxwr]

Should be fixed in #151.