Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Argo CD doesn't support a private key with passphrase #1894

Open
takuan-osho opened this issue Jul 9, 2019 · 19 comments
Open

Argo CD doesn't support a private key with passphrase #1894

takuan-osho opened this issue Jul 9, 2019 · 19 comments
Labels
component:git Interaction with GitHub, Gitlab etc enhancement New feature or request more-information-needed Further information is requested

Comments

@takuan-osho
Copy link

Describe the bug

I tried to add my private git repository to Argo CD with SSH private key credential.

However, Argo CD CLI invoked some error like this.

$ argocd repo add [email protected]:<my private repository> --ssh-private-key-path ~/.ssh/id_rsa
FATA[0000] ssh: cannot decode encrypted private keys

It seems that this ssh: cannot decode encrypted private keys came from golang.org/x/crypto/ssh package.

golang/x/crypto/ssh package has a function for dealing with a private key with passphrase like this, but it seems that Argo CD codes don't use it.

To Reproduce

  1. Prepare for an SSH private key with a passphrase
  2. Try to add git repository with the private key like this.
argocd repo add [email protected]:<my private repository> --ssh-private-key-path <path/to/the private key>
  1. Then you will see some errors like this.
FATA[0000] ssh: cannot decode encrypted private keys

Expected behavior
Argo CD CLI add the git repository with no errors.

Version

argocd: v1.0.2+e0bd546.dirty
  BuildDate: 2019-06-14T17:15:36Z
  GitCommit: e0bd546a07818ec06a27c2b3033454e3eb1c4152
  GitTreeState: dirty
  GoVersion: go1.11.4
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v1.0.2+e0bd546.dirty
  BuildDate: 2019-06-14T17:15:03Z
  GitCommit: e0bd546a07818ec06a27c2b3033454e3eb1c4152
  GitTreeState: dirty
  GoVersion: go1.11.4
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: 0.13.1

Have you thought about contributing a fix yourself?

I tried to fix this issue, but code base of Argo CD is complicated for me.

@takuan-osho takuan-osho added the bug Something isn't working label Jul 9, 2019
@alexmt alexmt self-assigned this Jul 9, 2019
@alexmt
Copy link
Collaborator

alexmt commented Jul 9, 2019

Working on it

@takuan-osho
Copy link
Author

@alexmt FYI: According to golang/go#18692, golang/x/crypto/ssh itself doesn't support encrypted private key with passphrase.

It seems difficult to fix this issue with only using golang/x/crypto/ssh package.

As a workaround, some person suggested a 3rd party package for supporting openssh-key-v1 format key.

@takuan-osho
Copy link
Author

As far as I investigated, a SSH private key generated by newer OpenSSH without -m pem option has a newer format which is not supported by golang/x/crypto/ssh.

$ ssh -V
OpenSSH_7.9p1, LibreSSL 2.7.3

$ ssh-keygen -t rsa -b 4096 -C "[email protected]" -f keytest.pem -m pem
# This keytest.pem with passphrase can be parsed by ssh.ParsePrivateKeyWithPassphrase function

$ ssh-keygen -t rsa -b 4096 -C "[email protected]" -f keytest2.pem
# This keytest2.pem with passphrase cannot be parsed by ssh.ParsePrivateKeyWithPassphrase function

@alexmt
Copy link
Collaborator

alexmt commented Jul 12, 2019

Thank you for the information, @takuan-osho ! I was waiting fo PR1807 to get merged before start working on this ticket. Will try to use your advice tomorrow and will update ticket with my findings.

@stale
Copy link

stale bot commented Sep 10, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label Sep 10, 2019
@alexmt alexmt removed the wontfix This will not be worked on label Sep 10, 2019
@alexec alexec added the enhancement New feature or request label Oct 4, 2019
@jannfis jannfis added the component:git Interaction with GitHub, Gitlab etc label May 14, 2020
@FredM
Copy link

FredM commented May 22, 2020

I stumbled on that issue today. Any news on it?

@alexmt alexmt removed their assignment Jul 30, 2020
@po3rin
Copy link

po3rin commented Jul 31, 2020

@FredM

This probrems depends on x/crypto/ssh package. latest x/crypto/ssh has already supported Private key with passphrase in OpenSSH format.

Master branch has already depended on corrected x/crypto/ssh version, so it should work correctly in master.

// go.mod in master branch

// ...
golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
// ...

But, latest version ArgoCD v1.6.1 does not follow fixed version.

// go.mod in release 1.6.1

// ...
golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586
// ...

Maybe it will work correctly in the next release.

@SayakMukhopadhyay
Copy link
Contributor

The argocd codebase still uses the ParsePrivateKey method (https://github.com/argoproj/argo-cd/blob/master/util/git/client.go#L193) so I believe this feature won't work yet. It needs to use the ParsePrivateKeyWithPassphrase method of the crypto library.

@shambhand
Copy link

I am also stumbled on this issue today. Any news on it?

@kerthcet
Copy link

any solution? ping the issue.

@chetniks
Copy link

chetniks commented Jan 5, 2022

I am still having this issue. Any news ?

@camba1
Copy link

camba1 commented Jan 11, 2022

Any news on this front? Thanks!

@kerthcet
Copy link

The argocd codebase still uses the ParsePrivateKey method (https://github.com/argoproj/argo-cd/blob/master/util/git/client.go#L193) so I believe this feature won't work yet. It needs to use the ParsePrivateKeyWithPassphrase method of the crypto library.

refer to the solution this week if I have time.

@hilmialf
Copy link

I am wondering if there is any update on this?

@shurkanTwo
Copy link

I would also like to know if there has been any progress?

@Talador12
Copy link

This is still a good addition that should be made to ArgoCD

@andrii-korotkov-verkada
Copy link
Contributor

According to golang/go#18692, there might have been some progress in adding the support. We might want to revisit this.

@andrii-korotkov-verkada
Copy link
Contributor

I still see ParsePrivateKey being used

signer, err := ssh.ParsePrivateKey([]byte(creds.sshPrivateKey))
.

I can try to fix this, but ParsePrivateKeyWithPassphrase requires an additional parameter passphrase. Where can I get a proper value?

@andrii-korotkov-verkada andrii-korotkov-verkada added more-information-needed Further information is requested and removed bug Something isn't working labels Nov 25, 2024
@SayakMukhopadhyay
Copy link
Contributor

From a user perspective, I would expect it to place the passphrase in the same secret that contains the repo url, that is a secret labelled argocd.argoproj.io/secret-type: repo-creds. This is for a declarative setup, but it will also need a CLI change too. I found loads of places where the structures needs to be change to accommodate this but overall it should not be a complicated one. I too can try to contribute.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component:git Interaction with GitHub, Gitlab etc enhancement New feature or request more-information-needed Further information is requested
Projects
None yet
Development

No branches or pull requests