-1

I am generating SSH keys using an Ansible script that works fine with Java 17, However it's not working when using Java 8. The issue seems to be related to the encryption algorithm used in the private key.

When I generate keys using putty-gen it works for both versions however ansible generated keys are only working with newer versions but not older version.

sshkeys

DES-EDE3 encryption (Triple DES) from puttygen works for both Java 8 and 17, while the AES-256 encryption generated by the Ansible script works only with Java 17.

Ansible Script

---
- name: Generate SSH key with passphrase and set permissions
  hosts: localhost
  connection: local
  vars:
    ssh_private_key_filepath: "{{ ssh_private_key_filepath }}"
    ssh_public_key_filepath: "{{ ssh_public_key_filepath }}"
    ssh_passphrase: "{{ ssh_passphrase }}"
  tasks:
    - name: Generate private key
      community.crypto.openssl_privatekey:
        path: "{{ ssh_private_key_filepath }}"
        type: RSA
        size: 4096
        passphrase: "{{ ssh_passphrase }}"
        cipher: auto
        state: present
        force: false
      register: private_key

    - name: Generate public key
      community.crypto.openssl_publickey:
        path: "{{ ssh_public_key_filepath }}"
        privatekey_path: "{{ ssh_private_key_filepath }}"
        privatekey_passphrase: "{{ ssh_passphrase }}"
        state: present
        force: false
        format: "OpenSSH"
      when: private_key.changed

    - name: Set permissions for private key
      file:
        path: "{{ ssh_private_key_filepath }}"
        mode: '400'

    - name: Set permissions for public key
      file:
        path: "{{ ssh_public_key_filepath }}"
        mode: '600'

How can I modify my Ansible script or key generation process to make the generated keys compatible with both Java 8 and Java 17 versions.

Improve this question
6
  • 1
    You probably just been to update your Java 8 install to the most recent build; see stackoverflow.com/a/46989278/139985 Commented Oct 4, 2024 at 3:53
  • Is there a way to update the Ansible script to generate keys with DES-EDE3 encryption? Commented Oct 4, 2024 at 4:38
  • 2
    Erm ... wouldn't it be better to update your Java 8 install? It must be > 5 years out of date to not support AES-256. That means you are missing > 5 years worth of Java 8 security fixes. Commented Oct 4, 2024 at 4:49
  • 3
    And various sources I came across suggest that you shouldn't be using DES-AES (aka Triple DES). For example, this Ansible issue: github.com/ansible/ansible/issues/83757 Commented Oct 4, 2024 at 4:58
  • According documentation openssl_privatekey module – Generate OpenSSL private keys - Parameter: type there is no support for DES. Commented Oct 4, 2024 at 6:07

1 Answer 1

Reset to default
1

The only choice for cipher that community.crypto.openssl_publickey has is 'auto', that implies that what you need is unimplemented.

You'll need to use the shell module and openssl.

ansible.builtin.shell:
  cmd: "openssl genrsa -des3 -passout pass:{{ lookup('env','MY_PASS') }} 4096 > {{ ssh_private_key_filepath }}"
  creates: "{{ ssh_private_key_filepath }}"
  register: private_key
no_log: true
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.