Generate RSA ssh key

germag · germag · commit 8fe62b69251c · 2024-11-04T19:40:35.000+01:00
For simplicity, we were using the ssh key from podman-machine,
but it has the inconvenience that this key is ed25519 and does
not work in FIPS mode.

Let's generate and inject an RSA ssh key that it's FIPS approved.

Signed-off-by: German Maglione &lt;gmaglione@redhat.com&gt;
diff --git a/cmd/run.go b/cmd/run.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/containers/podman-bootc/pkg/bootc"
 	"github.com/containers/podman-bootc/pkg/config"
+	"github.com/containers/podman-bootc/pkg/credentials"
 	"github.com/containers/podman-bootc/pkg/user"
 	"github.com/containers/podman-bootc/pkg/utils"
 	"github.com/containers/podman-bootc/pkg/vm"
@@ -102,6 +103,11 @@ func doRun(flags *cobra.Command, args []string) error {
 		}
 	}()
 
+	sSHIdentityPath, err := credentials.Generatekeys(bootcVM.CacheDir())
+	if err != nil {
+		return fmt.Errorf("unable to generate ssh key: %w", err)
+	}
+
 	cmd := args[1:]
 	err = bootcVM.Run(vm.RunVMParameters{
 		Cmd:           cmd,
@@ -110,7 +116,7 @@ func doRun(flags *cobra.Command, args []string) error {
 		RemoveVm:      vmConfig.RemoveVm,
 		Background:    vmConfig.Background,
 		SSHPort:       sshPort,
-		SSHIdentity:   machine.SSHIdentityPath,
+		SSHIdentity:   sSHIdentityPath,
 		VMUser:        vmConfig.User,
 	})
 
diff --git a/pkg/credentials/ssh.go b/pkg/credentials/ssh.go
@@ -10,13 +10,14 @@ import (
 	"github.com/containers/podman-bootc/pkg/config"
 )
 
-// Generatekeys creates an ed25519 set of keys
+// Generatekeys creates an RSA set of keys
 func Generatekeys(outputDir string) (string, error) {
 	sshIdentity := filepath.Join(outputDir, config.SshKeyFile)
 	_ = os.Remove(sshIdentity)
 	_ = os.Remove(sshIdentity + ".pub")
 
-	args := []string{"-N", "", "-t", "ed25519", "-f", sshIdentity}
+	// we use RSA here so it works on FIPS mode
+	args := []string{"-N", "", "-t", "rsa", "-f", sshIdentity}
 	cmd := exec.Command("ssh-keygen", args...)
 	stdErr, err := cmd.StderrPipe()
 	if err != nil {
diff --git a/pkg/vm/vm.go b/pkg/vm/vm.go
@@ -70,6 +70,7 @@ type BootcVM interface {
 	WaitForSSHToBeReady() error
 	RunSSH([]string) error
 	DeleteFromCache() error
+	CacheDir() string
 	Exists() (bool, error)
 	GetConfig() (*BootcVMConfig, error)
 	CloseConnection()
@@ -252,6 +253,10 @@ func (v *BootcVMCommon) DeleteFromCache() error {
 	return os.RemoveAll(v.cacheDir)
 }
 
+func (v *BootcVMCommon) CacheDir() string {
+	return v.cacheDir
+}
+
 func (b *BootcVMCommon) oemString() (string, error) {
 	systemdOemString, err := oemStringSystemdCredential(b.vmUsername, b.sshIdentity)
 	if err != nil {
