TRITON-2378

Add support for ed25519 keys

Status:: In Progress
Created:: 2023-02-22T13:50:54.370-0500
Updated:: 2026-01-12T09:34:01.216-0500

Description

smartdc-auth doesn’t allow ed25519 keys:

signing request: ED25519 type keys are not supported

Though ED25519 support exists in sshpk so it should be possible.

TRITON-2417 (Merged)
TRITON-2378 (Pull Request)
TRITON-2378 (Merged)
TRITON-2378 (Merged)
TRITON-2378
MANTA-5467 (Merged)
TRITON-2378 (not needed)
(Need to update Manta dependency)
sdc-sdc (Need to update Manta dependency)
https://github.com/TritonDataCenter/node-manta/compare/MANTA-5466 (Merged)

Comments (11)

Travis Paul commented on 2023-02-22T15:57:53.891-0500 (edited 2023-02-22T15:59:44.402-0500):

Got this working locally by updating the following repos:

Since a CloudAPI update is required and much more testing is necessary going to circle back around to this later.

Travis Paul commented on 2023-02-27T14:40:54.883-0500:

These needs to be out of draft:

Maybe other things related to CMON, UFDS, and Docker Keys.

Travis Paul commented on 2023-02-27T14:43:22.911-0500:

Moved to proposed standard in

Travis Paul commented on 2023-02-27T14:46:30.165-0500 (edited 2023-02-27T14:47:00.981-0500):

Need to be able to authenticate with CloudAPI, Manta, Docker, and CMON. Does SSH work?

Test in us-central-a (dev environment.)

Travis Paul commented on 2023-03-14T14:32:42.498-0400:

ED25519 support wasn’t added to OpenSSL until version 1.1.1 and wasn’t added to Node until version 12.0.0
Docker is using Node.js v6.17.1 built (statically) against OpenSSL v1.0.2r
Unlike CloudAPI and manta which use sshpk with http-signatures for authentication, docker uses TLS certificates and the native Node.js crypto module (which in turn uses openssl.)

Travis Paul commented on 2023-11-14T09:38:33.878-0500:

Testing notes for http-signature

Confirmed that make check test succeeded.
Pulled these changes into smartdc-auth and confirmed that make check test succeeded
Pulled these changes into cloudapi and confirmed that make check succeeded and that I could install the changes via sdcadm update -C experimental cloudapi@TRITON-2378-20231113T181023Z-g073fbb7
Finally, I pulled in these change to node-triton (via smartdc-auth), removed all keys from my account except for an ED25519 key and confirmed that I could make Cloud API requests and provision instances.

Jira Bot commented on 2023-11-15T15:30:05.669-0500:

node-http-signature commit 078905cfbbf4231bcf0f6c48c4272e2df092d44d (branch master, by Travis Paul)

TRITON-2378#icft=TRITON-2378 Update sshpk for ed25519 support (#132)

Reviewed by: Dan McDonald <dan.mcdonald@mnx.io>

Travis Paul commented on 2023-11-17T12:29:27.681-0500:

Testing notes for smartdc-auth

Confirmed that make check test succeeded.
Pulled the relevant http-signature changes into cloudapi and confirmed that make check succeeded and that I could install the changes via sdcadm update -C experimental cloudapi@TRITON-2378-20231116T192012Z-g4220b98
Updated sshpk in sdc-ufds and confirmed that make check succeeded and that I could install the changes via sdcadm update -C experimental ufds@TRITON-2378-20231116T205537Z-g5fb2ee0
Finally, I pulled these changes into node-triton, removed all keys from my account except for an ED25519 key and confirmed that I could make Cloud API requests and provision an instance.

And reproducible results from @Jhonas Wernery!

I followed @travispaul's testing notes on my CoaL setup and was able to use a ED25519 key as SSH key. 🚀
Tested adding the SSH key via adminui and then used the mentioned node-triton branch, connecting to CoaL's cloudapi.

Fingerprint:

❯ ssh-keygen -E md5 -l -f ~/.ssh/id_ed25519.pub | awk '{print $2}' | tr -d '\n' | cut -d: -f 2-
10:25:b6:aa:62:76:57:62:41:a9:f8:b0:b9:be:c2:00

Before:

❯ ./bin/triton key list
triton key list: error (Signing): error signing request: ED25519 type keys are not supported

After:

❯ ./bin/triton key list
FINGERPRINT                                      NAME
ba:91:55:74:f6:21:79:c2:21:ef:5b:93:f2:25:09:50  coal-1 sdc key
85:04:34:8a:6a:63:f1:37:e2:6d:d9:50:e8:7d:19:3a  id_rsa
10:25:b6:aa:62:76:57:62:41:a9:f8:b0:b9:be:c2:00  teutat3s

Travis Paul commented on 2023-11-20T14:04:31.850-0500:

Reminder to update node-triton from Brian:

…it looks like neither docker nor prometheus support eddsa certificates (server or client side), so adding ed25519 support to either of those is moot anyway.
…we should also put into node-triton that it will only use rsa or ecdsa certs for generating docker/cmon client certs until eddsa is adopted by the CA/Browser Forum.

Travis Paul commented on 2023-12-13T12:39:37.324-0500 (edited 2023-12-13T14:53:41.256-0500):

Reminder: Ensure ed25519 keys can be added in Piranha

Update: It does, existing ed25519 keys (added via Admin UI) show up and new ones can be added.

Travis Paul commented on 2024-01-29T14:16:13.341-0500: