Possible bug in EC2 plugin: check of SSH key may be too strict (confirmation needed before filing bug report)

[Amedee Van Gasse]

I have a question about https://github.com/jenkinsci/ec2-plugin. It may be a bug, but I'd like to have confirmation before I try to find out how to file a bug report.

In https://github.com/jenkinsci/ec2-plugin/blob/master/src/main/java/hudson/plugins/ec2/EC2Cloud.java there is the following validation in doCheckSshKeysCredentialsId:

boolean hasStart = false, hasEnd = false;

BufferedReader br = new BufferedReader(new StringReader(privateKey));

String line;

while ((line = br.readLine()) != null) {

    if (line.equals("-----BEGIN RSA PRIVATE KEY-----"))

        hasStart = true;

    if (line.equals("-----END RSA PRIVATE KEY-----"))

        hasEnd = true;

}

if (!hasStart)

    return FormValidation.error("This doesn't look like a private key at all");

if (!hasEnd)

    return FormValidation

            .error("The private key is missing the trailing 'END RSA PRIVATE KEY' marker. Copy&paste error?");

I have generated an ed25519 key, with

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

SSH version:

OpenSSH_8.4p1 Ubuntu-5ubuntu1, OpenSSL 1.1.1j  16 Feb 2021

This key looks like

-----BEGIN OPENSSH PRIVATE KEY-----
(...)

-----END OPENSSH PRIVATE KEY-----

I can successfully use this key to connect to manually started instances (with Manage Nodes -> Add New Node).

I can not use this key to connect to an instance started by the EC2 plugin. The EC2 plugin tells me "This doesn't look like a private key at all".

It appears as if the validation is too strict.

Workaround:

In the private key file, I replaced

-----BEGIN OPENSSH PRIVATE KEY-----
(...)

-----END OPENSSH PRIVATE KEY-----

with

-----BEGIN RSA PRIVATE KEY-----
(...)

-----END RSA PRIVATE KEY-----

Can someone confirm if this is an actual bug, or is the problem at my end?

If it is a bug, then how do I proceed to file a bug report? The repo at https://github.com/jenkinsci/ec2-plugin only has pull requests, no issue tracker.

[Amedee Van Gasse]

So I went ahead and submitted a pull request anyway:

https://github.com/jenkinsci/ec2-plugin/pull/595

I'm sure it's not all up to standards but as it is my first contribution, I assume that the Jenkins community will be very happy to explain me where it can be improved. :-)

[Amedee Van Gasse]

Oh wow, my PR is merged already, I did not expect that!

[Thomas Matthijs]

Currently AWS doesn't support ed25519 (at least last time i checked in 2020)
People been asking for a few year, but maybe the plugin should accept
them already, hopefully only a matter of time till aws does

> --
> You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/3abaa47f-7d0a-442f-ad7f-c12c57d7cc6en%40googlegroups.com.

[Amedee Van Gasse]

It's not just ed25519. (and you were right about AWS not supporting it)

I created a rsa key with length 8192, and the private key was also

-----BEGIN OPENSSH PRIVATE KEY-----

This was accepted by Jenkins as a valid key, and also by AWS itself, but it wasn't accepted by the EC2 plugin.

So I had to replace OPENSSH with RSA again.

So my pull request is still valid. :)

Could it be that more recent versions of ssh-keygen have replaced RSA with OPENSSH?