[BOLT-380] Support ed25519 out-of-the-box Created: 2018/03/13  Updated: 2019/10/24  Resolved: 2018/10/16

Status: Resolved
Project: Puppet Task Runner
Component/s: None
Affects Version/s: None
Fix Version/s: BOLT 1.1.0

Type: Improvement Priority: Normal
Reporter: Michael Smith Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: feature, resolved-issue-added
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relates to PA-2274 Unable to add gem with C extensions t... Accepted
relates to BOLT-1296 Support ed25519 on windows Closed
relates to BOLT-939 Bolt from Homebrew throws errors on c... Resolved
Sprint: Bolt Kanban
Release Notes: New Feature
Release Notes Summary: The ed25519 key type is now supported out-of-the-box in Bolt packages.
QA Risk Assessment: Needs Assessment


net-ssh requires several extra libraries for ed25519 support. Without them, users see

2018-02-26T13:59:32.131096 WARN   Net::SSH: ignoring unimplemented key:unsupported key type `ssh-ed25519'
net-ssh requires the following gems for ed25519 support:
 * rbnacl (>= 3.2, < 5.0)
 * rbnacl-libsodium, if your system doesn't have libsodium installed.
 * bcrypt_pbkdf (>= 1.0, < 2.0)
See https://github.com/net-ssh/net-ssh/issues/478 for more information
Gem::MissingSpecError : "Could not find 'rbnacl' (< 5.0, >= 3.2.0) among 86 total gem(s)

Add support for ed25519 in packages.

Update: now that net-ssh 5.0 is out, this should be simpler to add.

Comment by Michael Smith [ 2018/03/13 ]

net-ssh-krb is a similar issue for password-less support via Kerberos. That may be slightly more complex if we need to have system libraries installed as well.

Comment by Alex Dreyer [ 2018/03/20 ]

I think it makes sense to keep the gem lightweight. We should look into how expensive including this in the package would be.

Comment by Michael Smith [ 2018/03/27 ]

Gene Liverman was there anything specifically challenging around following those instructions? We're wary to make them a required dependency of Bolt, but not sure other options would simplify it (such as a bolt-ed25519 gem that adds the dependencies).

Comment by Gene Liverman [ 2018/04/13 ]

Nothing really. I kinda like the idea of a gem that works out the other things to pull in though for people who do need the support.

Comment by Michael Smith [ 2018/04/13 ]

We have fully standalone packages now, we'll add the gems in packaging.

Comment by Nick Lewis [ 2018/05/17 ]

The maintainer of rbnacl-libsodium is planning to deprecate it in favor of OS packages. That would leave us in a state of having to either depend on or bundle libsodium ourselves. Aside from that, the rbnacl-libsodium gem doesn't appear to be supported on Windows.

So my question is: have we received enough signal on this issue that it's worth the effort of maintaining a build of libsodium ourselves?

Comment by Nick Lewis [ 2018/05/17 ]

It also looks like net-ssh 5.0 will change to using ed25519 and bcrypt_pbkdf for ed25519. Once that's released, we may be able to bump our dependency and bundle those gems.

Comment by Michael Smith [ 2018/05/17 ]

That sounds like a workable path. Any timeline for net-ssh 5.0?

Comment by Nick Lewis [ 2018/05/17 ]

I'm not sure. 5.0.0beta2 was released two months ago, but there haven't really been any commits since then.

I tried to build the ed25519 gem and failed on Windows, but I'm sure we can figure that out.

Comment by Michael Smith [ 2018/06/21 ]

net-ssh 5.0.2 is out now.

Comment by Michael Smith [ 2018/10/11 ]

The move to net-ssh 5.0.2 breaks our ability to use Bolt with Beaker. We need to allow net-ssh 4.0 compatibility.

Comment by Michael Smith [ 2018/10/12 ]

For now we're only doing this for non-Windows Bolt. Making it work for Windows is going to take a few fixes to how we build Ruby.

Generated at Mon Dec 16 06:01:56 PST 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.