feat: Allow master configuration for ssh key crypto system

[gt2345]

Ticket

MD-475

Description

Add master config option to specify which algorithm to use to generate ssh key.

        security:
          ssh:
            key_type: "RSA" | "ECDSA" | "ED25519"

Default is "RSA" for backward compatibility.

This PR also removes the -p --passphrase option for det shell start, since it does not make sense and it's been broken since at least 01/2023. More discussion here.

Test Plan

Start master with one of the crypto system
Run det shell start
There should be a message similar to

shell (id: ab3068f6-f252-43f8-9b90-c3adf0985bda) is ready.                      
Warning: Permanently added 'ab3068f6-f252-43f8-9b90-c3adf0985bda' (ECDSA) to the list of known hosts.

if "ECDSA" is the crypto system.

Checklist

• Changes have been manually QA'd
• New features have been approved by the corresponding PM
• User-facing API changes have the "User-facing API Change" label
• Release notes have been added as a separate file under docs/release-notes/
  See Release Note for details.
• Licenses have been included for new code which was copied and/or modified from any external code

[codecov]

Codecov Report

Attention: Patch coverage is 67.27273% with 18 lines in your changes missing coverage. Please review.

Project coverage is 54.45%. Comparing base (7d6a1a7) to head (1690bb7).
Report is 39 commits behind head on main.

Files with missing lines	Patch %	Lines
master/pkg/ssh/ssh.go	75.00%	11 Missing ⚠️
master/internal/config/config.go	37.50%	5 Missing ⚠️
master/internal/api_shell.go	0.00%	1 Missing ⚠️
master/internal/core.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #10072      +/-   ##
==========================================
+ Coverage   54.42%   54.45%   +0.02%     
==========================================
  Files        1262     1262              
  Lines      158886   158910      +24     
  Branches     3630     3630              
==========================================
+ Hits        86472    86527      +55     
+ Misses      72280    72249      -31     
  Partials      134      134              

Flag	Coverage Δ
backend	45.58% <67.27%> (+0.07%)	⬆️
harness	72.75% <ø> (+<0.01%)	⬆️
web	53.95% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
harness/determined/cli/shell.py	23.36% <ø> (-0.06%)	⬇️
master/internal/experiment.go	33.70% <100.00%> (ø)
master/pkg/tasks/task.go	62.30% <ø> (ø)
master/internal/api_shell.go	33.79% <0.00%> (+1.76%)	⬆️
master/internal/core.go	6.23% <0.00%> (ø)
master/internal/config/config.go	58.06% <37.50%> (-0.57%)	⬇️
master/pkg/ssh/ssh.go	79.62% <75.00%> (+12.96%)	⬆️

... and 4 files with indirect coverage changes

[netlify]

✅ Deploy Preview for determined-ui canceled.

Name	Link
🔨 Latest commit	1690bb7
🔍 Latest deploy log	https://app.netlify.com/sites/determined-ui/deploys/67198fcfb7137d0008cd8827

[ioga]

there's a typo in PR / commit template: EC25519 instead of ED25519. everything looks ok in the code though.

[ioga]

Just as a note: I don't think there were any requests to make the curve size configurable, and P256 is the NIST recommendation, so this is fine. But one day we may have to update it or make configurable.

[ioga]

Looking through the release notes, we usually use period instead of ->, i.e. security.crypto_system.

Suggested change

	- Master Configuration: Add support for crypto system configuration for ssh connection. ``security
	-> crypto_system`` now accepts ``RSA``, ``ECDSA`` or ``ED25519``.
	- Master Configuration: Add support for crypto system configuration for ssh connection. ``security.crypto_system`` now accepts ``RSA``, ``ECDSA`` or ``ED25519``.

[ioga]

I was under impression we wanted to switch to ECDSA by default, because it's faster and compliant with FIPS140-2 requirements. I'd strongly suggest we do the switch, while leaving an option for the users to revert back to RSA if they really want.

[gt2345]

I wonder if @mackrorysd or @rb-determined-ai want to say anything about this?

[rb-determined-ai]

It is faster than reasonably-sized RSA keys. I never liked the 1024 key size choice when we made it years ago, because key-per-task took too long if you used 2048 keys. The argument I made was "let's not do one key per task then" And the argument made back to me was "1024 is fine if the tasks are not long lived" and I lost.

Certainly I don't think 1024 rsa keys is a good default by any measure.

I personally would default to ed25519 keys, but I think Ilia is right about what most customers would prefer.

[rb-determined-ai]

Wait, actually, I do vote ed25519 because that's what ssh-keygen defaults to.

[gt2345]

I don't know too much about ssh keys, but it looks like newer algorithms are better in terms of the balance of security and speed, so I put ed25519 down as default for now.

[ioga]

ed25519 is not in FIPS140, so the category of users who cares about that will have to be aware of it and change the config. ECDSA is still plenty fast and fit most requirements, which feels like the best fit for the default option.

[mackrorysd]

Don't have a strong opinion here myself, but to repeat some information added by @dannysauer:

FWIW: FIPS 186-5, Digital Signature Standard includes ED25519 as of its official publication date Feb last year.
https://csrc.nist.gov/pubs/fips/186-5/final
This is helpful, because ECDSA depends on having a good random number generator, which is not always the case.

[mackrorysd]

I would side with ED25519 here the more I've read about it. It seems to be the technically superior solution, it is getting accepted in other federal standard, etc.

[rb-determined-ai]

crypto_system seems like an unexpected phrase for what it means. How about key_type?

For example, man ssh-keygen says:

The type of key to be generated is specified with the -t option. If invoked without any arguments, ssh-keygen will generate an Ed25519 key.

[rb-determined-ai]

Replace 'CryptoSystem' with 'KeyType' or something.

[rb-determined-ai]

Worth mentioning the transition to ED25519 keys by default, and I'd also mention that ED25519 keys are faster and more secure than the old default, as well as being the default key type for ssh-keygen.

Mentioning that we're using more secure keys makes us look good, and mentioning that we're adopting the same default as ssh-keygen helps to reduce support burden by making the change sound like obvious rather than arbitrary.

[rb-determined-ai]

nit: for the unit test, can you use a keysize of 512?

It's absurdly small for security purposes, but it should exercise the codepaths just fine.

[molinamelendezj]

stamped from infra

[stoksc]

lgtm, only have non-blocking feedback (i.e., i'd appreciate it being addressed but don't explicitly expect to re-review)

[stoksc]

as a follow up: can/should we default to ed25519?

[stoksc]

can we flip this and put this rsa specific stuff in an if t.KeyType == RSAKeyType block? written like this, it's easy for someone to add a check and the bottom of this func and not realize it's just for RSA.

[maxrussell]

+1.

[stoksc]

nit

Suggested change

	generatedKeys = PrivateAndPublicKeys{
	PrivateKey: pem.EncodeToMemory(block),
	PublicKey: sshlib.MarshalAuthorizedKey(publicKey),
	}
	return generatedKeys, nil
	return PrivateAndPublicKeys{
	PrivateKey: pem.EncodeToMemory(block),
	PublicKey: sshlib.MarshalAuthorizedKey(publicKey),
	}, nil

[stoksc]

same nit here

[maxrussell]

The nit being that this could skip being declared at all? If so, I agree. I'd rather see

return PrivateAndPublicKeys{}, errors.Wrap(err, "unable to generate ED25519 private key")

and then no generatedKeys ever declared.

[stoksc]

agree

[stoksc]

this test is so short it doesn't matter, but usually i'd recommend splitting a test like/using subtests with t.Run()/ using table driven tests this up since it really is three separate tests. it's easier for whoever has to fix one of them if it fails to read just the one test that failed... but i also doubt this test will ever fail. this comment is just FYI.

[maxrussell]

Big +1 to table-driven tests and subtests.

[stoksc]

i traded with max so he has time to review a pr of mine.

[maxrussell]

Idiomatically, these names should be KeyTypeRSA, KeyTypeECDSA, and KeyTypeED25519. A good example of this in the stdlib is net/http, where all the methods and statuses are named this way.

[maxrussell]

+1.

[maxrussell]

The nit being that this could skip being declared at all? If so, I agree. I'd rather see

return PrivateAndPublicKeys{}, errors.Wrap(err, "unable to generate ED25519 private key")

and then no generatedKeys ever declared.

[maxrussell]

Big +1 to table-driven tests and subtests.

[maxrussell]

LGTM!