Factor out in a generic function the helper listing allowed ssh key algorithm

2025-02-25 16:13:38 +08:00 · 2023-09-25 15:36:51 +02:00 · 2023-09-25 15:36:51 +02:00 · 1e44092c16
commit 1e44092c16
parent 7dce5734fd
4 changed files with 31 additions and 34 deletions
--- a/bin/plugin/open/selfAddIngressKey
+++ b/bin/plugin/open/selfAddIngressKey
@ -61,27 +61,8 @@ if (!OVH::Bastion::has_piv_helper()) {
 }

 if (not defined $pubKey) {
-    $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
-    $fnret or osh_exit $fnret;
-    my @algoList = @{$fnret->value};
-    my $algos    = join(' ', @algoList);
    osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
-
-    if (grep { 'ed25519-sk' eq $_ } @algoList) {
-        osh_info "ED25519 Secure-Key: strongness[######] speed[#####], use `ssh-keygen -t ed25519-sk' to generate one";
-    }
-    if (grep { 'ed25519' eq $_ } @algoList) {
-        osh_info "ED25519: strongness[#####.] speed[#####], use `ssh-keygen -t ed25519' to generate one";
-    }
-    if (grep { 'ecdsa-sk' eq $_ } @algoList) {
-        osh_info "NIST-P Secure key: strongness[#####.] speed[#####], use `ssh-keygen -t ecdsa-sk -b 521' to generate one";
-    }
-    if (grep { 'ecdsa' eq $_ } @algoList) {
-        osh_info "ECDSA  : strongness[####..] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one";
-    }
-    if (grep { 'rsa' eq $_ } @algoList) {
-        osh_info "RSA    : strongness[###...] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one";
-    }
+    OVH::Bastion::print_accepted_key_algorithms(way => "ingress");
    osh_info "\nIn any case, don't save it without a passphrase.";

    if (OVH::Bastion::config('ingressKeysFromAllowOverride')->value) {
--- a/bin/plugin/restricted/accountCreate
+++ b/bin/plugin/restricted/accountCreate
@ -103,20 +103,8 @@ if (defined $maxInactiveDays && $maxInactiveDays < 0) {
 }

 if (!$pubKey && !$noKey) {
-    $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
-    $fnret or osh_exit $fnret;
-    my @algoList = @{$fnret->value};
-    my $algos    = join(' ', @algoList);
    osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
-    if (grep { 'ed25519' eq $_ } @algoList) {
-        osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one";
-    }
-    if (grep { 'ecdsa' eq $_ } @algoList) {
-        osh_info "ECDSA  : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one";
-    }
-    if (grep { 'rsa' eq $_ } @algoList) {
-        osh_info "RSA    : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one";
-    }
+    OVH::Bastion::print_accepted_key_algorithms(way => "ingress");
    osh_info "\nIn any case, don't save it without a passphrase (your paste won't be echoed).";
    $pubKey = <STDIN>;
 }
--- a/lib/perl/OVH/Bastion.pm
+++ b/lib/perl/OVH/Bastion.pm
@ -156,7 +156,7 @@ my %_autoload_files = (
    ],
    password => [qw{ get_hashes_from_password get_password_file get_hashes_list is_valid_hash }],
    ssh      => [
-        qw{ has_piv_helper verify_piv get_authorized_keys_from_file add_key_to_authorized_keys_file put_authorized_keys_to_file get_ssh_pub_key_info is_valid_public_key get_from_for_user_key generate_ssh_key get_bastion_ips get_supported_ssh_algorithms_list is_allowed_algo_and_size is_valid_fingerprint print_public_key account_ssh_config_get account_ssh_config_set ssh_ingress_keys_piv_apply is_effective_piv_account_policy_enabled }
+        qw{ has_piv_helper verify_piv get_authorized_keys_from_file add_key_to_authorized_keys_file put_authorized_keys_to_file get_ssh_pub_key_info is_valid_public_key get_from_for_user_key generate_ssh_key get_bastion_ips get_supported_ssh_algorithms_list is_allowed_algo_and_size is_valid_fingerprint print_public_key account_ssh_config_get account_ssh_config_set ssh_ingress_keys_piv_apply is_effective_piv_account_policy_enabled print_accepted_key_algorithms }
    ],
 );

--- a/lib/perl/OVH/Bastion/ssh.inc
+++ b/lib/perl/OVH/Bastion/ssh.inc
@ -1048,4 +1048,32 @@ sub is_effective_piv_account_policy_enabled {
      : R('KO_DISABLED', msg => "inherits the globally disabled policy");
 }

+# Deduces from the bastion config what algorithms are accepted.
+sub print_accepted_key_algorithms {
+    my %params  = @_;
+    my $way = $params{'way'};
+    my $fnret;
+
+    $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => $way);
+    $fnret or osh_exit $fnret;
+    my @algoList = @{$fnret->value};
+    my $algos    = join(' ', @algoList);
+
+    if (grep { 'ed25519-sk' eq $_ } @algoList) {
+        osh_info "FIDO2 Ed25519: strongness[######] speed[#####], use `ssh-keygen -t ed25519-sk' to generate one";
+    }
+    if (grep { 'ed25519' eq $_ } @algoList) {
+        osh_info "ED25519      : strongness[#####.] speed[#####], use `ssh-keygen -t ed25519' to generate one";
+    }
+    if (grep { 'ecdsa-sk' eq $_ } @algoList) {
+        osh_info "FIDO2 ECDSA  : strongness[#####.] speed[#####], use `ssh-keygen -t ecdsa-sk -b 521' to generate one";
+    }
+    if (grep { 'ecdsa' eq $_ } @algoList) {
+        osh_info "ECDSA        : strongness[####..] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one";
+    }
+    if (grep { 'rsa' eq $_ } @algoList) {
+        osh_info "RSA          : strongness[###...] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one";
+    }
+}
+
 1;