[GH-ISSUE #313] Issue with adding ed25519 keys #81

New issue

Closed

opened 2026-05-07 00:18:30 +02:00 by BreizhHardware · 7 comments

BreizhHardware commented 2026-05-07 00:18:30 +02:00

Owner

Copy link

Originally created by @asanz-mrmilu on GitHub (Jun 30, 2022).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/313

Hello,

I've been trying to create an account with a key type "ed25519", but it fails with the following trace (debug enabled):

my-user@my-bastion(master)> accountCreate --account new-user --uid-auto --comment '"new-user Developer access"' --public-key '"ssh-ed25519 aaaaaaa-suppresedf"'
~ <361675:/opt/bastion/bin/shell/osh.pl> is_account_nonexpired: got lastlog date: 1656590244
~ <361675:/opt/bastion/bin/shell/osh.pl> Last account activity: 0 days ago
~ <361675:/opt/bastion/bin/shell/osh.pl> self=my-user home=/home/my-user realm= remoteself= sysself=my-user
~ <361675:/opt/bastion/bin/shell/osh.pl> user-passed options : -i --osh accountCreate --account new-user --uid-auto --comment '"new-user Developer access"' --public-key '"ssh-ed25519 aaaaaaa-suppresedf"'
~ <361675:/opt/bastion/bin/shell/osh.pl> remainingOptions <--account/new-user/--uid-auto/--comment/"new-user Developer access"/--public-key/"ssh-ed25519 aaaaaaa-suppresedf">
~ <361675:/opt/bastion/bin/shell/osh.pl> Going got pass the following supplement args to plugin: --account^new-user^--uid-auto^--comment^"new-user Developer access"^--public-key^"ssh-ed25519 aaaaaaa-suppresedf"
~ <361675:/opt/bastion/bin/shell/osh.pl> will work on IP 
~ <361675:/opt/bastion/bin/shell/osh.pl> self     : my-user
~ <361675:/opt/bastion/bin/shell/osh.pl> user       : <undef>
~ <361675:/opt/bastion/bin/shell/osh.pl> host       : <undef>
~ <361675:/opt/bastion/bin/shell/osh.pl> port       : 22
~ <361675:/opt/bastion/bin/shell/osh.pl> verbose    : <undef>
~ <361675:/opt/bastion/bin/shell/osh.pl> tty        : <undef>
~ <361675:/opt/bastion/bin/shell/osh.pl> osh        : accountCreate
~ <361675:/opt/bastion/bin/shell/osh.pl> command    : <undef>
~ <361675:/opt/bastion/bin/shell/osh.pl> about to run_cmd ['/opt/bastion/bin/plugin/restricted/accountCreate','','','','','--account','new-user','--uid-auto','--comment','"new-user Developer access"','--public-key','"ssh-ed25519 aaaaaaa-suppresedf"']
~ <361675:/opt/bastion/bin/shell/osh.pl> waiting for child PID 361676 to complete...
╭──the-bastion────────────────────────────────────────────the-bastion-3.08.01───
│ ▶ create a new bastion account
├───────────────────────────────────────────────────────────────────────────────
│ 
│ ⛔ This doesn't look like an SSH public key, accepted formats are RSA (>= 2048 bits)
│ ⛔ and if supported by the OS, ECDSA and Ed25519.
╰────────────────────────────────────────────────────────────</accountCreate>───
~ <361675:/opt/bastion/bin/shell/osh.pl> all fds are EOF, waiting for pid 361676 indefinitely
~ <361675:/opt/bastion/bin/shell/osh.pl> cmd returned with status 100
~ <361581:/opt/bastion/bin/shell/osh.pl> about to run_cmd ['id','-G','-n']
~ <361581:/opt/bastion/bin/shell/osh.pl> waiting for child PID 361677 to complete...
~ <361581:/opt/bastion/bin/shell/osh.pl> stdout(361677): my-user bastion-users osh-accountListAccesses osh-accountMFAResetPassword osh-accountListEgressKeys osh-groupDelete osh-accountUnlock osh-selfDelPersonalAccess osh-accountListIngressKeys osh-selfAddPersonalAccess osh-accountInfo osh-accountList osh-realmList osh-accountModify osh-whoHasAccessTo osh-accountGrantCommand osh-accountMFAResetTOTP osh-groupCreate osh-accountUnexpire osh-realmDelete osh-accountDelPersonalAccess osh-accountCreate osh-realmCreate osh-accountPIV osh-realmInfo osh-accountDelete osh-accountAddPersonalAccess osh-accountRevokeCommand osh-accountGeneratePassword osh-accountListPasswords osh-rootListIngressKeys osh-auditor osh-admin keytest-aclkeeper keytest-gatekeeper keytest-owner keyprod keydev keystaging keybeta my-user-tty
~ <361581:/opt/bastion/bin/shell/osh.pl> all fds are EOF, waiting for pid 361677 indefinitely
~ <361581:/opt/bastion/bin/shell/osh.pl> cmd returned with status 0
~ <361581:/opt/bastion/bin/shell/osh.pl> about to run_cmd ['id','-G','-n','my-user']
~ <361581:/opt/bastion/bin/shell/osh.pl> waiting for child PID 361678 to complete...
~ <361581:/opt/bastion/bin/shell/osh.pl> stdout(361678): my-user osh-admin osh-auditor osh-rootListIngressKeys osh-accountListPasswords osh-accountGeneratePassword osh-accountRevokeCommand osh-accountAddPersonalAccess osh-accountDelete osh-realmInfo osh-accountPIV osh-realmCreate osh-accountCreate osh-accountDelPersonalAccess osh-realmDelete osh-accountUnexpire osh-groupCreate osh-accountMFAResetTOTP osh-accountGrantCommand osh-whoHasAccessTo osh-accountModify osh-realmList osh-accountList osh-accountInfo osh-selfAddPersonalAccess osh-accountListIngressKeys osh-selfDelPersonalAccess osh-accountUnlock osh-groupDelete osh-accountListEgressKeys osh-accountMFAResetPassword osh-accountListAccesses bastion-users my-user-tty keytest-aclkeeper keytest-gatekeeper keytest-owner keyprod keydev keystaging keybeta
~ <361581:/opt/bastion/bin/shell/osh.pl> all fds are EOF, waiting for pid 361678 indefinitely
~ <361581:/opt/bastion/bin/shell/osh.pl> cmd returned with status 0

It failed like 10 times, then it magically worked, it seems to happen only with this type of key. I'm running bastion on AWS on a 20.04 instance with openssh 8.4

My configuration on bastion has this type of keys enabled, and the sshd config does allow it as well. I even added my ed key on the server and ssh into it without issues, but adding the key to myself on bastion, also failed a couple of times before being added successfully

Originally created by @asanz-mrmilu on GitHub (Jun 30, 2022). Original GitHub issue: https://github.com/ovh/the-bastion/issues/313 Hello, I've been trying to create an account with a key type "ed25519", but it fails with the following trace (debug enabled): ``` my-user@my-bastion(master)> accountCreate --account new-user --uid-auto --comment '"new-user Developer access"' --public-key '"ssh-ed25519 aaaaaaa-suppresedf"' ~ <361675:/opt/bastion/bin/shell/osh.pl> is_account_nonexpired: got lastlog date: 1656590244 ~ <361675:/opt/bastion/bin/shell/osh.pl> Last account activity: 0 days ago ~ <361675:/opt/bastion/bin/shell/osh.pl> self=my-user home=/home/my-user realm= remoteself= sysself=my-user ~ <361675:/opt/bastion/bin/shell/osh.pl> user-passed options : -i --osh accountCreate --account new-user --uid-auto --comment '"new-user Developer access"' --public-key '"ssh-ed25519 aaaaaaa-suppresedf"' ~ <361675:/opt/bastion/bin/shell/osh.pl> remainingOptions <--account/new-user/--uid-auto/--comment/"new-user Developer access"/--public-key/"ssh-ed25519 aaaaaaa-suppresedf"> ~ <361675:/opt/bastion/bin/shell/osh.pl> Going got pass the following supplement args to plugin: --account^new-user^--uid-auto^--comment^"new-user Developer access"^--public-key^"ssh-ed25519 aaaaaaa-suppresedf" ~ <361675:/opt/bastion/bin/shell/osh.pl> will work on IP ~ <361675:/opt/bastion/bin/shell/osh.pl> self : my-user ~ <361675:/opt/bastion/bin/shell/osh.pl> user : <undef> ~ <361675:/opt/bastion/bin/shell/osh.pl> host : <undef> ~ <361675:/opt/bastion/bin/shell/osh.pl> port : 22 ~ <361675:/opt/bastion/bin/shell/osh.pl> verbose : <undef> ~ <361675:/opt/bastion/bin/shell/osh.pl> tty : <undef> ~ <361675:/opt/bastion/bin/shell/osh.pl> osh : accountCreate ~ <361675:/opt/bastion/bin/shell/osh.pl> command : <undef> ~ <361675:/opt/bastion/bin/shell/osh.pl> about to run_cmd ['/opt/bastion/bin/plugin/restricted/accountCreate','','','','','--account','new-user','--uid-auto','--comment','"new-user Developer access"','--public-key','"ssh-ed25519 aaaaaaa-suppresedf"'] ~ <361675:/opt/bastion/bin/shell/osh.pl> waiting for child PID 361676 to complete... ╭──the-bastion────────────────────────────────────────────the-bastion-3.08.01─── │ ▶ create a new bastion account ├─────────────────────────────────────────────────────────────────────────────── │ │ ⛔ This doesn't look like an SSH public key, accepted formats are RSA (>= 2048 bits) │ ⛔ and if supported by the OS, ECDSA and Ed25519. ╰────────────────────────────────────────────────────────────</accountCreate>─── ~ <361675:/opt/bastion/bin/shell/osh.pl> all fds are EOF, waiting for pid 361676 indefinitely ~ <361675:/opt/bastion/bin/shell/osh.pl> cmd returned with status 100 ~ <361581:/opt/bastion/bin/shell/osh.pl> about to run_cmd ['id','-G','-n'] ~ <361581:/opt/bastion/bin/shell/osh.pl> waiting for child PID 361677 to complete... ~ <361581:/opt/bastion/bin/shell/osh.pl> stdout(361677): my-user bastion-users osh-accountListAccesses osh-accountMFAResetPassword osh-accountListEgressKeys osh-groupDelete osh-accountUnlock osh-selfDelPersonalAccess osh-accountListIngressKeys osh-selfAddPersonalAccess osh-accountInfo osh-accountList osh-realmList osh-accountModify osh-whoHasAccessTo osh-accountGrantCommand osh-accountMFAResetTOTP osh-groupCreate osh-accountUnexpire osh-realmDelete osh-accountDelPersonalAccess osh-accountCreate osh-realmCreate osh-accountPIV osh-realmInfo osh-accountDelete osh-accountAddPersonalAccess osh-accountRevokeCommand osh-accountGeneratePassword osh-accountListPasswords osh-rootListIngressKeys osh-auditor osh-admin keytest-aclkeeper keytest-gatekeeper keytest-owner keyprod keydev keystaging keybeta my-user-tty ~ <361581:/opt/bastion/bin/shell/osh.pl> all fds are EOF, waiting for pid 361677 indefinitely ~ <361581:/opt/bastion/bin/shell/osh.pl> cmd returned with status 0 ~ <361581:/opt/bastion/bin/shell/osh.pl> about to run_cmd ['id','-G','-n','my-user'] ~ <361581:/opt/bastion/bin/shell/osh.pl> waiting for child PID 361678 to complete... ~ <361581:/opt/bastion/bin/shell/osh.pl> stdout(361678): my-user osh-admin osh-auditor osh-rootListIngressKeys osh-accountListPasswords osh-accountGeneratePassword osh-accountRevokeCommand osh-accountAddPersonalAccess osh-accountDelete osh-realmInfo osh-accountPIV osh-realmCreate osh-accountCreate osh-accountDelPersonalAccess osh-realmDelete osh-accountUnexpire osh-groupCreate osh-accountMFAResetTOTP osh-accountGrantCommand osh-whoHasAccessTo osh-accountModify osh-realmList osh-accountList osh-accountInfo osh-selfAddPersonalAccess osh-accountListIngressKeys osh-selfDelPersonalAccess osh-accountUnlock osh-groupDelete osh-accountListEgressKeys osh-accountMFAResetPassword osh-accountListAccesses bastion-users my-user-tty keytest-aclkeeper keytest-gatekeeper keytest-owner keyprod keydev keystaging keybeta ~ <361581:/opt/bastion/bin/shell/osh.pl> all fds are EOF, waiting for pid 361678 indefinitely ~ <361581:/opt/bastion/bin/shell/osh.pl> cmd returned with status 0 ``` It failed like 10 times, then it magically worked, it seems to happen only with this type of key. I'm running bastion on AWS on a 20.04 instance with openssh 8.4 My configuration on bastion has this type of keys enabled, and the sshd config does allow it as well. I even added my ed key on the server and ssh into it without issues, but adding the key to myself on bastion, also failed a couple of times before being added successfully

BreizhHardware closed this issue 2026-05-07 00:18:31 +02:00

BreizhHardware commented 2026-05-07 00:18:31 +02:00

Author

Owner

Copy link

@speed47 commented on GitHub (Jul 1, 2022):

What the script read wasn't parseable as a key, probably some issue with your terminal or copy/paste weirdness.
I see you enabled debug mode, to help in those cases we could, in the error message, print out what was received by the script and couldn't be parsed as a key, this might help pinpointing the problem.
If I push a dev branch with such debug enabled, would you be interested to test in on your AWS instance?

<!-- gh-comment-id:1172199857 --> @speed47 commented on GitHub (Jul 1, 2022): What the script read wasn't parseable as a key, probably some issue with your terminal or copy/paste weirdness. I see you enabled debug mode, to help in those cases we could, in the error message, print out what was received by the script and couldn't be parsed as a key, this might help pinpointing the problem. If I push a dev branch with such debug enabled, would you be interested to test in on your AWS instance?

BreizhHardware commented 2026-05-07 00:18:32 +02:00

Author

Owner

Copy link

@asanz-mrmilu commented on GitHub (Jul 1, 2022):

I've used an ansible role to install the bastion, I guess that I'll need to build from source, I could test it next week ^^

If it helps, I'm running zsh as my shell with oh-my-zsh

<!-- gh-comment-id:1172249380 --> @asanz-mrmilu commented on GitHub (Jul 1, 2022): I've used an ansible role to install the bastion, I guess that I'll need to build from source, I could test it next week ^^ If it helps, I'm running zsh as my shell with oh-my-zsh

BreizhHardware commented 2026-05-07 00:18:32 +02:00

Author

Owner

Copy link

@speed47 commented on GitHub (Jul 1, 2022):

I can give you the steps to swap branches manually. Depending on the configuration of your ansible role, you are either tracking the latest commit from the master branch, or the most recent tag (i.e. release), which is currently v3.08.01.

You can know which case is yours by logging in to the bastion as root and typing:
git describe -C /opt/bastion --exact-match --all.
You'll either get refs/master or tags/v3.08.01. This'll be usefull to rollback to the proper version once you're done testing.

Now, to get to the test branch I've just pushed:
git -C /opt/bastion fetch
git -C /opt/bastion checkout debug_addkey
/opt/bastion/bin/admin/fixrights.sh

You should get an additional debug line when trying to create an account in debug mode.

To revert to your previous production branch, either git -C /opt/bastion checkout master or git -C /opt/bastion checkout v3.08.01. Then, always do a /opt/bastion/bin/admin/fixrights.sh to ensure the file permissions are set correctly.

<!-- gh-comment-id:1172277937 --> @speed47 commented on GitHub (Jul 1, 2022): I can give you the steps to swap branches manually. Depending on the configuration of your ansible role, you are either tracking the latest commit from the `master` branch, or the most recent tag (i.e. release), which is currently `v3.08.01`. You can know which case is yours by logging in to the bastion as root and typing: `git describe -C /opt/bastion --exact-match --all`. You'll either get `refs/master` or `tags/v3.08.01`. This'll be usefull to rollback to the proper version once you're done testing. Now, to get to the test branch I've just pushed: `git -C /opt/bastion fetch` `git -C /opt/bastion checkout debug_addkey` `/opt/bastion/bin/admin/fixrights.sh` You should get an additional debug line when trying to create an account in debug mode. To revert to your previous production branch, either `git -C /opt/bastion checkout master` or `git -C /opt/bastion checkout v3.08.01`. Then, always do a `/opt/bastion/bin/admin/fixrights.sh` to ensure the file permissions are set correctly.

BreizhHardware commented 2026-05-07 00:18:32 +02:00

Author

Owner

Copy link

@asanz-mrmilu commented on GitHub (Jul 1, 2022):

Alright, I'll test it when I can and post the results here

<!-- gh-comment-id:1172481654 --> @asanz-mrmilu commented on GitHub (Jul 1, 2022): Alright, I'll test it when I can and post the results here

BreizhHardware commented 2026-05-07 00:18:32 +02:00

Author

Owner

Copy link

@asanz-mrmilu commented on GitHub (Jul 14, 2022):

Alright, I'm going to test this out today or tomorrow. I'll add a couple of comments related to other issues I've found these days:

• Creating an account with TTL causes the user to expire, but the account still appear as active on bastion
• Creating an account from interactive mode results in the SSH key error from above, but this time with RSA public keys

It's really weird and hard to see what's going on under the hood.

<!-- gh-comment-id:1184158231 --> @asanz-mrmilu commented on GitHub (Jul 14, 2022): Alright, I'm going to test this out today or tomorrow. I'll add a couple of comments related to other issues I've found these days: - Creating an account with TTL causes the user to expire, but the account still appear as active on bastion - Creating an account from interactive mode results in the SSH key error from above, but this time with RSA public keys It's really weird and hard to see what's going on under the hood.

BreizhHardware commented 2026-05-07 00:18:33 +02:00

Author

Owner

Copy link

@speed47 commented on GitHub (Sep 21, 2022):

The TTL issue has been fixed (it was a reporting error on the side of accountInfo, the TTL was correctly applied however).

Any news about the problem you faced with interactive mode?

<!-- gh-comment-id:1253506422 --> @speed47 commented on GitHub (Sep 21, 2022): The TTL issue has been fixed (it was a reporting error on the side of `accountInfo`, the TTL was correctly applied however). Any news about the problem you faced with interactive mode?

BreizhHardware commented 2026-05-07 00:18:33 +02:00

Author

Owner

Copy link

@speed47 commented on GitHub (Nov 2, 2022):

Closing for inactivity and impossibility to reproduce (for the part in interactive mode), please reopen if the issue is still valid.

<!-- gh-comment-id:1300675573 --> @speed47 commented on GitHub (Nov 2, 2022): Closing for inactivity and impossibility to reproduce (for the part in interactive mode), please reopen if the issue is still valid.

BreizhHardware referenced this issue 2026-05-07 00:19:52 +02:00

[PR #81] [MERGED] fix: is_valid_remote_user: extend allowed size from 32 to 128 #222

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

expifix

groupcreate_fix_uid

fix_group_gid_fast

gh-pages

clush

expiration

jsonvalidator

v3.23.01

v3.23.00

v3.22.00

v3.21.00

v3.20.00

v3.19.01

v3.19.00

v3.18.99-rc1

v3.18.00

v3.17.01

v3.17.00

v3.16.99-rc3

v3.16.99-rc2

v3.16.99-rc1

v3.16.01

v3.16.00

v3.15.00

v3.14.16

v3.14.15

v3.14.00

v3.13.01

v3.13.00

v3.12.00

v3.11.02

v3.11.01

v3.11.00

v3.10.00

v3.09.02

v3.09.00-really

v3.09.00

v3.09.00-rc3

v3.09.00-rc2

v3.09.00-rc1

v3.08.01

v3.08.00

v3.07.00

v3.06.00

v3.05.01

v3.05.00

v3.04.00

v3.03.99-rc2

v3.03.99-rc1

v3.03.01

v3.03.00

v3.02.00

v3.01.99-rc4

v3.01.99-rc3

v3.01.99-rc2

v3.01.99-rc1

v3.01.03

v3.01.02

v3.01.01

v3.01.00

v3.00.02

v3.00.01

v3.00.00

Labels

Clear labels   

answered

  

bug

  

documentation

  

enhancement

  

enhancement

  

feature

  

feature

  

kept-open-for-info

  

pull-request

Mirrored from GitHub Pull Request

  

question

No labels

answered

bug

documentation

enhancement

enhancement

feature

feature

kept-open-for-info

pull-request

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/the-bastion#81

No description provided.