diff --git a/salt/_runners/setup_hypervisor.py b/salt/_runners/setup_hypervisor.py index 9d7116d59..929801783 100644 --- a/salt/_runners/setup_hypervisor.py +++ b/salt/_runners/setup_hypervisor.py @@ -38,7 +38,7 @@ Examples: Notes: - Verifies Security Onion license - Downloads and validates Oracle Linux KVM image if needed - - Generates Ed25519 SSH keys if not present + - Generates ECDSA SSH keys if not present - Creates/recreates VM based on environment changes - Forces hypervisor configuration via highstate after successful setup (when minion_id provided) @@ -46,7 +46,7 @@ Examples: The setup process includes: 1. License validation 2. Oracle Linux KVM image download and checksum verification - 3. SSH key generation for secure VM access + 3. ECDSA SSH key generation for secure VM access 4. Cloud-init configuration for VM provisioning 5. VM creation with specified disk size 6. Hypervisor configuration via highstate (when minion_id provided and setup successful) @@ -74,7 +74,7 @@ import sys import time import yaml from cryptography.hazmat.primitives import serialization -from cryptography.hazmat.primitives.asymmetric import ed25519 +from cryptography.hazmat.primitives.asymmetric import ec # Configure logging log = logging.getLogger(__name__) log.setLevel(logging.DEBUG) @@ -232,7 +232,7 @@ def _check_ssh_keys_exist(): bool: True if both private and public keys exist, False otherwise """ key_dir = '/etc/ssh/auth_keys/soqemussh' - key_path = f'{key_dir}/id_ed25519' + key_path = f'{key_dir}/id_ecdsa' pub_key_path = f'{key_path}.pub' dest_dir = '/opt/so/saltstack/local/salt/libvirt/ssh/keys' dest_path = os.path.join(dest_dir, os.path.basename(pub_key_path)) @@ -250,7 +250,7 @@ def _setup_ssh_keys(): """ try: key_dir = '/etc/ssh/auth_keys/soqemussh' - key_path = f'{key_dir}/id_ed25519' + key_path = f'{key_dir}/id_ecdsa' pub_key_path = f'{key_path}.pub' # Check if keys already exist @@ -266,9 +266,9 @@ def _setup_ssh_keys(): os.makedirs(key_dir, exist_ok=True) os.chmod(key_dir, 0o700) - # Generate new ed25519 key pair + # Generate new ECDSA key pair using SECP256R1 curve log.info("Generating new SSH keys") - private_key = ed25519.Ed25519PrivateKey.generate() + private_key = ec.generate_private_key(ec.SECP256R1()) public_key = private_key.public_key() # Serialize private key @@ -540,7 +540,7 @@ def setup_environment(vm_name: str = 'sool9', disk_size: str = '220G', minion_id Notes: - Verifies Security Onion license - Downloads and validates Oracle Linux KVM image if needed - - Generates Ed25519 SSH keys if not present + - Generates ECDSA SSH keys if not present - Creates/recreates VM based on environment changes - Forces hypervisor configuration via highstate after successful setup (when minion_id is provided) @@ -765,7 +765,7 @@ def create_vm(vm_name: str, disk_size: str = '220G'): _set_ownership_and_perms(vm_dir, mode=0o750) # Read the SSH public key - pub_key_path = '/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ed25519.pub' + pub_key_path = '/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ecdsa.pub' try: with salt.utils.files.fopen(pub_key_path, 'r') as f: ssh_pub_key = f.read().strip() @@ -844,7 +844,7 @@ output: all: ">> /var/log/cloud-init.log" # configure interaction with ssh server -ssh_genkeytypes: ['ed25519', 'rsa'] +ssh_genkeytypes: ['ecdsa', 'rsa'] # set timezone for VM timezone: UTC @@ -1038,7 +1038,7 @@ def regenerate_ssh_keys(): Notes: - Validates Security Onion license - Removes existing keys if present - - Generates new Ed25519 key pair + - Generates new ECDSA key pair - Sets secure permissions (600 for private, 644 for public) - Distributes public key to required locations @@ -1048,7 +1048,7 @@ def regenerate_ssh_keys(): 2. Checks for existing SSH keys 3. Removes old keys if present 4. Creates required directories with secure permissions - 5. Generates new Ed25519 key pair + 5. Generates new ECDSA key pair 6. Sets appropriate file permissions 7. Distributes public key to required locations @@ -1067,7 +1067,7 @@ def regenerate_ssh_keys(): # Remove existing keys key_dir = '/etc/ssh/auth_keys/soqemussh' - key_path = f'{key_dir}/id_ed25519' + key_path = f'{key_dir}/id_ecdsa' pub_key_path = f'{key_path}.pub' dest_dir = '/opt/so/saltstack/local/salt/libvirt/ssh/keys' dest_path = os.path.join(dest_dir, os.path.basename(pub_key_path)) diff --git a/salt/libvirt/ssh/files/config b/salt/libvirt/ssh/files/config index de6cb7b34..9b8f89442 100644 --- a/salt/libvirt/ssh/files/config +++ b/salt/libvirt/ssh/files/config @@ -1,2 +1,2 @@ Match user soqemussh - IdentityFile /etc/ssh/auth_keys/soqemussh/id_ed25519 + IdentityFile /etc/ssh/auth_keys/soqemussh/id_ecdsa diff --git a/salt/libvirt/ssh/users.sls b/salt/libvirt/ssh/users.sls index 173a3e095..8bbf2ca7e 100644 --- a/salt/libvirt/ssh/users.sls +++ b/salt/libvirt/ssh/users.sls @@ -46,7 +46,7 @@ create_soqemussh_user: soqemussh_pub_key: ssh_auth.present: - user: soqemussh - - source: salt://libvirt/ssh/keys/id_ed25519.pub + - source: salt://libvirt/ssh/keys/id_ecdsa.pub {% endif %} diff --git a/salt/manager/hypervisor.sls b/salt/manager/hypervisor.sls index 315775446..080d0699c 100644 --- a/salt/manager/hypervisor.sls +++ b/salt/manager/hypervisor.sls @@ -16,9 +16,9 @@ # Check if hypervisor environment has been set up {% set ssh_user_exists = salt['user.info']('soqemussh') %} -{% set ssh_keys_exist = salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ed25519') and - salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ed25519.pub') and - salt['file.file_exists']('/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ed25519.pub') %} +{% set ssh_keys_exist = salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ecdsa') and + salt['file.file_exists']('/etc/ssh/auth_keys/soqemussh/id_ecdsa.pub') and + salt['file.file_exists']('/opt/so/saltstack/local/salt/libvirt/ssh/keys/id_ecdsa.pub') %} {% set base_image_exists = salt['file.file_exists']('/nsm/libvirt/boot/OL9U5_x86_64-kvm-b253.qcow2') %} {% set vm_files_exist = salt['file.directory_exists']('/opt/so/saltstack/local/salt/libvirt/images/sool9') and salt['file.file_exists']('/opt/so/saltstack/local/salt/libvirt/images/sool9/sool9.qcow2') and diff --git a/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja index 94cc85117..025e23d89 100644 --- a/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja +++ b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja @@ -11,7 +11,7 @@ sool9_{{host}}: base_domain: sool9 ip_source: qemu-agent ssh_username: soqemussh - private_key: /etc/ssh/auth_keys/soqemussh/id_ed25519 + private_key: /etc/ssh/auth_keys/soqemussh/id_ecdsa sudo: True deploy_command: sh /tmp/.saltcloud-*/deploy.sh script_args: -r -F -x python3 stable 3006.9 diff --git a/setup/so-setup b/setup/so-setup index f955917bc..347a7165c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -755,7 +755,7 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-key -ya $MINION_ID" logCmd "salt-call saltutil.sync_all" # we need to sync the runner and generate the soqemussh user keys so that first highstate after license created - # doesnt have a state failure for soqemussh_pub_key source for id_ed25519.pub missing + # doesnt have a state failure for soqemussh_pub_key source for id_ecdsa.pub missing if [[ $is_manager || $is_managerhype ]]; then logCmd "salt-run saltutil.sync_all" logCmd "salt-run setup_hypervisor.regenerate_ssh_keys"