I have found by navigating to "Users > root > SSH authorized keys" and entering an ed25519 key the UI will present a message saying "Syntax of the key is incorrect". I dug into the frontend and found the javascript function that is being used to check the validity of keys entered into this field and it looks like it only allows rsa and ecdsa keys. ed25519 is somewhat new, but is supported in the version of openssh (8.8) included in unRAID 6.10.3. SSH key pairs using security keys (ex: yubikey) are also supported, but not recognized by the UI.
I have tested that ed25519 and sk key pairs (ex: yubikey) are supported by adding them to my authorized_keys file via sftp and using them to access SSH.
The javascript function in question is:
function checkKey(form) { // check syntax of ssh keys var rows = form.text.value.split('\n'); for (var i=0,row; row=rows[i]; i++) { var data = row.split(' '); // key must have 3 fields, starts with ssh or ecdsa, and is for user if (data.length!=3 || data[0].search(/^(ssh|ecdsa)/)==-1 || data[2].search('@')==-1) { swal({title:"Invalid Key",text:"["+(i+1)+"] "+data[0].substr(0,10)+": Syntax of the key is incorrect!",type:"error",html:true,confirmButtonText:"Ok"}); return false; } } return true; }
I have modified the function with two examples:
-
All know key types, including dsa/ecdsa (less secure)
function checkKey(form) { // check syntax of ssh keys var rows = form.text.value.split('\n'); for (var i=0,row; row=rows[i]; i++) { if (row.search(/^(ssh-dss AAAAB3NzaC1kc3|ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNT|[email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb2|ssh-ed25519 AAAAC3NzaC1lZDI1NTE5|[email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t|ssh-rsa AAAAB3NzaC1yc2)[0-9A-Za-z+/]+[=]{0,3}(\s.*)?$/)==-1) { swal({title:"Invalid Key",text:"["+(i+1)+"] "+row.split(' ')[0]+": Syntax of the key is incorrect!",type:"error",html:true,confirmButtonText:"Ok"}); return false; } } return true; }
-
Only allow rsa and ed25519/sk-ed25519 (more secure)
function checkKey(form) { // check syntax of ssh keys var rows = form.text.value.split('\n'); for (var i=0,row; row=rows[i]; i++) { if (row.search(/^(ssh-ed25519 AAAAC3NzaC1lZDI1NTE5|[email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t|ssh-rsa AAAAB3NzaC1yc2)[0-9A-Za-z+/]+[=]{0,3}(\s.*)?$/)==-1) { swal({title:"Invalid Key",text:"["+(i+1)+"] "+row.split(' ')[0]+": Syntax of the key is incorrect!",type:"error",html:true,confirmButtonText:"Ok"}); return false; } } return true; }
Both examples use regex that is explained here: https://github.com/nemchik/ssh-key-regex
Currently, by adding ed25519 and sk-ed25519 keys to my authorized_keys file, even though they work for SSH access, I am unable to save any settings changes to the root user via the web UI because content of the authorized_keys file is displayed in the "SSH authorized keys" field and the javascript function in place does not accept my key types.
Recommended Comments
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.