Project

General

Profile

Bug #58622

cephadm: set-priv-key and set-pub-key don't work without manually setting the other key

Added by Adam King about 2 months ago. Updated about 1 month ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Currently, cephadm is supplying asynssh both the private and pub ssh key and, as part of setting up a connection, asyncssh is checking that that private and pub key match up. This is a problem for the set-priv-key and set-pub-key command, as either of them will always fail because they will never match with the other public or private key respectively that is not being set by the command. Given we don't have any way to set both keys at once, this means there is no way to update the ssh key in the cluster without manually setting it in the config-key store, which bypasses our verification and can allow users to set keys that don't actually work.

Error looks like

[ceph: root@vm-00 /]# ceph cephadm set-priv-key -i /mnt/new-key
Error EINVAL: ssh connection root@vm-00 failed

and in the logs

2023-01-31T19:28:00.524753+0000 mgr.vm-00.rkaxhf [DBG] Opening connection to root@192.168.122.49 with ssh options '-F /tmp/cephadm-conf-92hyyca_ -i /tmp/cephadm-identity-mih4473r'
2023-01-31T19:28:00.541618+0000 mgr.vm-00.rkaxhf [ERR] Public key mismatch
Traceback (most recent call last):
  File "/usr/share/ceph/mgr/cephadm/ssh.py", line 111, in redirect_log
    yield
  File "/usr/share/ceph/mgr/cephadm/ssh.py", line 90, in _remote_connection
    preferred_auth=['publickey'], options=ssh_options)
  File "/lib/python3.6/site-packages/asyncssh/connection.py", line 6801, in connect
    **kwargs)
  File "/lib/python3.6/site-packages/asyncssh/connection.py", line 5574, in __init__
    super().__init__(options=options, last_config=last_config, **kwargs)
  File "/lib/python3.6/site-packages/asyncssh/misc.py", line 268, in __init__
    self.prepare(**self.kwargs)
  File "/lib/python3.6/site-packages/asyncssh/connection.py", line 6257, in prepare
    client_certs, identities_only)
  File "/lib/python3.6/site-packages/asyncssh/public_key.py", line 3213, in load_keypairs
    result.append(SSHLocalKeyPair(key, pubkey))
  File "/lib/python3.6/site-packages/asyncssh/public_key.py", line 1978, in __init__
    raise ValueError('Public key mismatch')
ValueError: Public key mismatch

I tested setting the pub key manually first and then running set-priv-key and that worked alright, although the whole point of these commands is to not have the users be manually accessing the config-key store so we can actually do some verification on the key they provide.

History

#1 Updated by Adam King about 1 month ago

  • Pull request ID set to 49952

#2 Updated by Adam King about 1 month ago

  • Status changed from New to In Progress

Also available in: Atom PDF