Implement Ingress Secure Keys

bin/plugin/open/selfAddIngressKey

@@ -67,14 +67,20 @@ if (not defined $pubKey) {
     my $algos    = join(' ', @algoList);
     osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
 
+    if (grep { 'ed25519-sk' eq $_ } @algoList) {
+        osh_info "ED25519 Secure-Key: strongness[######] speed[#####], use `ssh-keygen -t ed25519-sk' to generate one";
+    }
     if (grep { 'ed25519' eq $_ } @algoList) {
-        osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one";
+        osh_info "ED25519: strongness[#####.] speed[#####], use `ssh-keygen -t ed25519' to generate one";
+    }
+    if (grep { 'ecdsa-sk' eq $_ } @algoList) {
+        osh_info "NIST-P Secure key: strongness[#####.] speed[#####], use `ssh-keygen -t ecdsa-sk -b 521' to generate one";
     }
     if (grep { 'ecdsa' eq $_ } @algoList) {
-        osh_info "ECDSA  : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one";
+        osh_info "ECDSA  : strongness[####..] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one";
     }
     if (grep { 'rsa' eq $_ } @algoList) {
-        osh_info "RSA    : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one";
+        osh_info "RSA    : strongness[###...] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one";
     }
     osh_info "\nIn any case, don't save it without a passphrase.";
 

etc/bastion/bastion.conf.dist

@@ -57,7 +57,7 @@
 # allowedIngressSshAlgorithms (array of strings (algorithm names))
 #     DESC: The algorithms authorized for ingress ssh public keys added to this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``: unsupported algorithms are automatically omitted at runtime.
 #  DEFAULT: [ "rsa", "ecdsa", "ed25519" ]
-"allowedIngressSshAlgorithms": [ "rsa", "ecdsa", "ed25519" ],
+"allowedIngressSshAlgorithms": [ "rsa", "ecdsa", "ed25519", "ecdsa-sk", "ed25519-sk" ],
 #
 # allowedEgressSshAlgorithms (array of strings (algorithm names))
 #     DESC: The algorithms authorized for egress ssh public keys generated on this bastion. Possible values: ``dsa``, ``rsa``, ``ecdsa``, ``ed25519``, note that some of those might not be supported by your current version of ``OpenSSH``, unsupported algorithms are automatically omitted at runtime.

lib/perl/OVH/Bastion/configuration.inc

@@ -367,8 +367,8 @@ sub load_configuration {
         ## no critic(RegularExpressions::ProhibitFixedStringMatches)
         {
             name    => 'allowedIngressSshAlgorithms',
-            default => [qw{ rsa ecdsa ed25519 }],
-            validre => qr/^(rsa|ecdsa|ed25519)$/
+            default => [qw{ rsa ecdsa ed25519 edcsa-sk ed25519-sk }],
+            validre => qr/^(rsa|ecdsa|ed25519|ecdsa-sk|ed25519-sk)$/
         },
         ## no critic(RegularExpressions::ProhibitFixedStringMatches)
         {

lib/perl/OVH/Bastion/ssh.inc

@@ -302,7 +302,7 @@ sub get_ssh_pub_key_info {
 
     my ($prefix, $typecode, $base64, $comment);
     if ($pubKey =~
-        m{^\s*((\S+)\s+)?(ssh-dss|ssh-rsa|ecdsa-sha\d+-nistp\d+|ssh-ed\d+)\s+([a-zA-Z0-9/=+]+)(\s+(.{1,128})?)?$}
+        m{^\s*((\S+)\s+)?(ssh-dss|ssh-rsa|ecdsa-sha\d+-nistp\d+|ssh-ed\d+|sk-ssh-ed25519\@openssh.com|sk-ecdsa-sha2-nistp256\@openssh.com)\s+([a-zA-Z0-9/=+]+)(\s+(.{1,128})?)?$}
         && length($pubKey) <= 3000)
     {
         ($prefix, $typecode, $base64, $comment) = ($2, $3, $4, $6);
@@ -360,7 +360,7 @@ sub get_ssh_pub_key_info {
 256 SHA256:Yggd7VRRbbivxkdVwrdt0HpqKNylMK91nNIU+RxndTI john@doe (ED25519)
 =cut
 
-        if (defined $sshkeygen and $sshkeygen =~ /^(\d+)\s+(\S+)\s+(.+)\s+\(([A-Z0-9]+)\)$/) {
+        if (defined $sshkeygen and $sshkeygen =~ /^(\d+)\s+(\S+)\s+(.+)\s+\(([A-Z0-9-]+)\)$/) {
             my ($size, $fingerprint, $comment2, $family) = ($1, $2, $3, $4);
             $return{'size'}        = $size + 0;
             $return{'fingerprint'} = $fingerprint;
@@ -436,7 +436,7 @@ EOS
         $fnret->{'msg'} = "Unknown error (" . $fnret->msg . "), please report to your sysadmin.";
     }
     else {
-        if (not grep { $fnret->value->{'family'} eq $_ } qw{ RSA ECDSA ED25519 }) {
+        if (not grep { $fnret->value->{'family'} eq $_ } qw{ RSA ECDSA ED25519 ECDSA-SK ED25519-SK }) {
             $fnret->{'err'} = 'ERR_UNKNOWN_TYPE';
             $fnret->{'msg'} =
               "Unknown family type (" . $fnret->value->{'family'} . "), please report to your sysadmin.";
@@ -634,6 +634,8 @@ sub get_supported_ssh_algorithms_list {
                     my $version = $1;
                     push @supportedList, 'ecdsa'   if ($version gt "5.7");
                     push @supportedList, 'ed25519' if ($version gt "6.5");
+                    push @supportedList, 'ecdsa-sk' if ($version gt "8.2");
+                    push @supportedList, 'ed25519-sk' if ($version gt "8.2");
                     @cached_runtime_list = @supportedList;
                     last;
                 }