#7377 SSH keys length can prevent user from login in Fedora infrastructure
Opened 8 months ago by germano. Modified 3 months ago

  • Describe what you need us to do:
    Since yesterday I was unable to login into src.fedoraproject.org and pagure.io: everytime I clicked on Login button I was prompted to the same webpage, like if I pressed refresh button.
    Today Patrick Uiterwijk told me that my SSH keys are too long (3 keys each related to 8196 bit private key), which means the cookie it gets all stored in is too big, and browsers ignore it.

In my humble opinion it is a design flaw, because the user is not told to not insert "too" long SSH keys

  • When do you need this? (YYYY/MM/DD)
    Well I would have needed it now.

  • When is this no longer needed or useful? (YYYY/MM/DD)
    I don't know

  • If we cannot complete your request, what is the impact?
    I cannot use all my SSH keys


Metadata Update from @pingou:
- Issue tagged with: src.fp.o

7 months ago

Metadata Update from @bowlofeggs:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

7 months ago

@germano ,

Not to discount your concern, but 8196 bit rsa keys are not 'typical' in this day and age, mostly it's 4096 or some variant of the ed25519/ecdsa/{insert ecc curve here}. You indicate having 3 keys, these are all for Fedora ??? Arguably the quickest and easiest fix to this would be to make some rsa4096 key(s) or ecc keys for Fedora uses, and return to https://admin.fedoraproject.org/accounts and browse to these new key(s) and upload and within ~ 30 or the next timed sync whichever comes first you should be able to login as desired.

Note: If you need to access any host that is still running on RHEL/CentOS 6 it will NOT work with a ecc key ( presently and likely not thru the lifecycle of those hosts from my understanding) so I'd advise rsa4096. While 8196 is nice to have most services don't natively support it, or have cookie space for them.

Hope this helps at least in expanding on puiterwijk's (Patrick) comments last week.

@pingou so we could go to OIDC on the web interface of pagure anytime? Or are we waiting for the api to be done first?

Alternately, we could try a small fas patch to reject too long ssh keys, but not sure how hard that would be or if we want to update fas.

Login to comment on this ticket.

Metadata