feat: Allow SSH authentication with RSA keys

[dhoppe]

Summary of Pull Request

Adds HostKeyAlgorithms=+ssh-rsa and PubkeyAcceptedKeyTypes=+ssh-rsa as extra arguments for Ansible.

This will set these parameters automatically instead of assuming that the user has read the current documented requirements.

Type of Pull Request

• This is a bugfix. type/bug
• This is an enhancement or feature. type/feature or type/enhancement
• This is a documentation update. type/docs
• This is a refactoring update. type/refactor
• This is a chore. type/chore
• This is something else.
  Please describe:

Related to Existing Issues

Issue Number: N/A

Test and Documentation Coverage

• Tests have been completed.
• Documentation has been added or updated.

I have tested this for Debian 11 and Ubuntu Server 22.04 LTS. VMware Photon OS 4 did not get pass the boot loader.

Breaking Changes?

• Yes, there are breaking changes.
• No, there are no breaking changes.

[tenthirtyam]

Does this change adequacy address each Linux distribution?

[dhoppe]

Does this change adequacy address each Linux distribution?

I need to do some testing. I think this is related to the OpenSSH version of the client. For example I have installed OpenSSH 9.1 at macOS, because I use a YubiKey for SSH via GPG.

[dhoppe]

Could someone please check if this is still working with OpenSSH 8.x and on Windows?

[tenthirtyam]

Could someone please check if this is still working with OpenSSH 8.x and on Windows?

I’m not too worried about Windows as the Packer host since the project hasn’t tested with it in the past; however, that said I’m certainly willing to include coverage based on Windows 11 22H2.

[dhoppe]

I just did an downgrade of OpenSSH and build an image for Ubuntu Server 22.04 LTS. Everything is working as expected.

dhoppe in packer-examples-for-vsphere at imac on  build_version [$!?] via vmware took 9m 13s
➜ ssh -V
OpenSSH_8.9p1, OpenSSL 1.1.1s  1 Nov 2022

dhoppe in packer-examples-for-vsphere at imac on  build_version [$!?]
➜ git status
On branch build_version
Your branch is up to date with 'origin/build_version'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
	modified:   ansible/ansible.cfg

Untracked files:
  (use "git add <file>..." to include in what will be committed)
	.envrc

no changes added to commit (use "git add" and/or "git commit -a")

dhoppe in packer-examples-for-vsphere at imac on  build_version [$!?]
➜ git diff
diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
index 955ce7a..9802c10 100644
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -1,3 +1,8 @@
 [defaults]
 display_skipped_hosts = false
 ansible_python_interpreter = /usr/bin/python3
+
+[ssh_connection]
+scp_if_ssh = true
+scp_extra_args = -O
+ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa

CONFIRM: Build a Ubuntu Server 22.04 LTS (cloud-init) Template for VMware vSphere?

Continue? (y/n)
y
Building a Ubuntu Server 22.04 LTS (cloud-init) Template for VMware vSphere...
Initializing HashiCorp Packer and required plugins...
Starting the build....
vsphere-iso.linux-ubuntu: output will be in this color.

==> vsphere-iso.linux-ubuntu: Publishing build details for vsphere-iso.linux-ubuntu to the HCP Packer registry
==> vsphere-iso.linux-ubuntu: Creating VM...
==> vsphere-iso.linux-ubuntu: Customizing hardware...
==> vsphere-iso.linux-ubuntu: Adding SATA controller...
==> vsphere-iso.linux-ubuntu: Mounting ISO images...
==> vsphere-iso.linux-ubuntu: Adding configuration parameters...
==> vsphere-iso.linux-ubuntu: Starting HTTP server on port 8053
==> vsphere-iso.linux-ubuntu: Set boot order...
==> vsphere-iso.linux-ubuntu: Power on VM...
==> vsphere-iso.linux-ubuntu: Waiting 5s for boot...
==> vsphere-iso.linux-ubuntu: HTTP server is working at http://10.0.30.10:8053/
==> vsphere-iso.linux-ubuntu: Typing boot command...
==> vsphere-iso.linux-ubuntu: Waiting for IP...
==> vsphere-iso.linux-ubuntu: IP address: 10.0.30.155
==> vsphere-iso.linux-ubuntu: Using SSH communicator to connect: 10.0.30.155
==> vsphere-iso.linux-ubuntu: Waiting for SSH to become available...
==> vsphere-iso.linux-ubuntu: Connected to SSH!
==> vsphere-iso.linux-ubuntu: Provisioning with Ansible...
    vsphere-iso.linux-ubuntu: Setting up proxy adapter for Ansible....
==> vsphere-iso.linux-ubuntu: Executing Ansible: <sensitive>-playbook -e packer_build_name="linux-ubuntu" -e packer_builder_type=vsphere-iso -e packer_http_addr=10.0.30.10:8053 --ssh-extra-args '-o IdentitiesOnly=yes' --extra-vars display_skipped_hosts=false --extra-vars BUILD_USERNAME=<sensitive> --extra-vars BUILD_SECRET=***** --extra-vars ANSIBLE_USERNAME=<sensitive> --extra-vars ANSIBLE_SECRET=***** -e <sensitive>_ssh_private_key_file=/var/folders/tn/mrc12tzn5td09f0kccnjc4gm0000gn/T/<sensitive>-key2814763683 -i /var/folders/tn/mrc12tzn5td09f0kccnjc4gm0000gn/T/packer-provisioner-<sensitive>458611944 /Users/<sensitive>/Dropbox/Code/packer/packer-examples-for-vsphere/<sensitive>/main.yml
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: PLAY [all] *********************************************************************
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [Gathering Facts] *********************************************************
    vsphere-iso.linux-ubuntu: ok: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [base : Prepare the Ubuntu guest operating system.] ***********************
    vsphere-iso.linux-ubuntu: included: /Users/<sensitive>/Dropbox/Code/packer/packer-examples-for-vsphere/<sensitive>/roles/base/tasks/ubuntu.yml for default
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [base : Updating the guest operating system.] *****************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [base : Installing additional packages.] **********************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [users : Configure users on Ubuntu guest operating system.] ***************
    vsphere-iso.linux-ubuntu: included: /Users/<sensitive>/Dropbox/Code/packer/packer-examples-for-vsphere/<sensitive>/roles/users/tasks/linux.yml for default
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [users : Adding authorized_keys for the default local user.] **************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [users : Adding the default local user to passwordless sudoers.] **********
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [users : Creating a local user for Ansible.] ******************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [users : Adding authorized_keys to the local user for Ansible.] ***********
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [users : Adding the local user for Ansible to passwordless sudoers.] ******
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Configure the Ubuntu guest operating system.] ****************
    vsphere-iso.linux-ubuntu: included: /Users/<sensitive>/Dropbox/Code/packer/packer-examples-for-vsphere/<sensitive>/roles/configure/tasks/ubuntu.yml for default
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Configure SSH for Public Key Authentication.] ****************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Setting hostname to localhost.] ******************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Restarting the SSH daemon.] **********************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Disabling and clean tmp.] ************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Preparing cloud-init.] ***************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Modifying GRUB.] *********************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [configure : Setting SSH keys to regenerate on reboot, if neccessary.] ****
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Clean the Ubuntu guest operating system.] ************************
    vsphere-iso.linux-ubuntu: included: /Users/<sensitive>/Dropbox/Code/packer/packer-examples-for-vsphere/<sensitive>/roles/clean/tasks/ubuntu.yml for default
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Cleaning all audit logs.] ****************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Cleaning persistent udev rules.] *********************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Cleaning the /tmp directories] ***********************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Cleaning the SSH host keys.] *************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Cleaning the machine-id.] ****************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: TASK [clean : Cleaning the shell history.] *************************************
    vsphere-iso.linux-ubuntu: changed: [default]
    vsphere-iso.linux-ubuntu:
    vsphere-iso.linux-ubuntu: PLAY RECAP *********************************************************************
    vsphere-iso.linux-ubuntu: default                    : ok=25   changed=20   unreachable=0    failed=0    skipped=16   rescued=0    ignored=0
    vsphere-iso.linux-ubuntu:
==> vsphere-iso.linux-ubuntu: Executing shutdown command...
==> vsphere-iso.linux-ubuntu: Deleting Floppy drives...
==> vsphere-iso.linux-ubuntu: Eject CD-ROM drives...
==> vsphere-iso.linux-ubuntu: Deleting CD-ROM drives...
==> vsphere-iso.linux-ubuntu: Clear boot order...
==> vsphere-iso.linux-ubuntu: Importing VM OVF template linux-ubuntu-22.04-lts-build_version to Content Library 'lib-01' as the item 'linux-ubuntu-22.04-lts-build_version' with the description 'Version: build_version
==> vsphere-iso.linux-ubuntu: Built on: 2022-11-30 08:28 UTC
==> vsphere-iso.linux-ubuntu: Built by: HashiCorp Packer 1.8.4'...
==> vsphere-iso.linux-ubuntu: Destroying VM...
==> vsphere-iso.linux-ubuntu: Running post-processor:  (type manifest)
==> vsphere-iso.linux-ubuntu: Running post-processor:
Build 'vsphere-iso.linux-ubuntu' finished after 8 minutes 30 seconds.

==> Wait completed after 8 minutes 30 seconds

==> Builds finished. The artifacts of successful builds are:
--> vsphere-iso.linux-ubuntu: linux-ubuntu-22.04-lts-build_version
--> vsphere-iso.linux-ubuntu: linux-ubuntu-22.04-lts-build_version
--> vsphere-iso.linux-ubuntu: Published metadata to HCP Packer registry packer/linux-ubuntu-2204-lts/iterations/01GK3TC8KY855EWFA025NEE7TZ
Done.

[tenthirtyam]

• Pass on Ubuntu 22.04 LTS: OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
• Fail on macOS Monterey (12.6.1): OpenSSH_8.6p1, LibreSSL 3.3.6

vsphere-iso.linux-photon: TASK [Gathering Facts] *********************************************************
vsphere-iso.linux-photon: fatal: [default]: FAILED! => {"msg": "failed to transfer file to /Users/johnsonryan/.<sensitive>/tmp/<sensitive>-local-689535utghcqo/tmpf7p_lub9 /home/<sensitive>/.<sensitive>/tmp/<sensitive>-tmp-1669845602.772087-68956-148654805544790/AnsiballZ_setup.py:\n\nscp: illegal option -- O\nusage: scp [-346ABCpqrTv] [-c cipher] [-F ssh_config] [-i identity_file]\n            [-J destination] [-l limit] [-o ssh_option] [-P port]\n            [-S program] source ... target\n"}

Need to test on Photon OS 4.0.

Dropped testing under the following in #393:

• Ubuntu 20.04 LTS
• macOS Big Sur (11.x)

Plan to test under - pending:

• macOS Ventura (13.x)

[dhoppe]

Plan to test under:

• macOS Ventura (13.x)

Interesting. I was using macOS Ventura, but did. an downgrade of OpenSSH to version 8.9.

I think this is related to the version of OpenSSH and not the operating system.
ansible/ansible#78600

[tenthirtyam]

Tested and verified with the latest pushed commits - LGTM! 🚀

Appreciate adding the Note to the README for OpenSSH >= 9.0.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.