-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSH: report signing error reason, and clarify docs re. non-RSA CA keys #11036
Conversation
CircleCI build failures appear to be unrelated to this PR |
values are `ssh-rsa`, `rsa-sha2-256`, and `rsa-sha2-512`. Note that `ssh-rsa` | ||
is now considered insecure and is not supported by current OpenSSH versions. | ||
If not specified, it will use the signer's default algorithm. | ||
values when the CA has an RSA key are `ssh-rsa`, `rsa-sha2-256`, and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This part of the comment (i.e., "when the CA has an RSA key") seems redundant as the signing algorithms clearly mentions RSA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without this amendment, it could be construed that that ssh-rsa
, rsa-sha2-256
and rsa-sha2-512
are the only permitted signing algorithms - and therefore that only RSA signing keys are supported.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The last sentence ("This value must be left blank for CA key types other than RSA.") suffices for such clarification.
you can add it to your configuration. The key generated will be RSA, but | ||
other types of CA key can be imported if `generate_signing_key` is false. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can add it to your configuration. The key generated will be RSA, but | |
other types of CA key can be imported if `generate_signing_key` is false. | |
you can add it to your configuration. If `generate_signing_key` is true, the generated signing key is of type | |
RSA. If `generate_signing_key` is false, the stored CA key is used which can be of any valid signing key type. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've changed the wording here, what do you think?
generate_signing_key
(bool: true)
– Specifies if Vault should generate
the signing key pair internally. Iftrue
, an RSA key pair is generated, and
the generated public key returned so you can add it to your configuration.
Iffalse
, then you must provideprivate_key
andpublic_key
, but these
can be of any valid signing key type.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good!
e7cb875
to
9e986d0
Compare
@candlerb would you please merge in the latest changes in main so that the checks and tests pass? |
9e986d0
to
342dd06
Compare
Patch rebased, and slightly different wording proposed for |
CI failed, looks like an issue cloning the github repo:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one slight suggestion but other LTGM.
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
For reference, originally this PR included the signing error reason:
However that has already been applied in commits 6960b76 and 7ca2caf. |
See #10067