feat(compute): Add server show-plaintext#1817
Open
dmbuil wants to merge 4 commits into
Open
Conversation
server password show-plaintext commandserver show-plaintext
Author
|
I've renamed the PR to fit the 59-char length, as well as capitalize |
Owner
this need to be done with the commit (amend and force-push) and not the PR |
a39179b to
6dac6db
Compare
Adds a new `osc compute server password show-plaintext` subcommand that retrieves the Nova-encrypted admin password and decrypts it in-process using a caller-supplied SSH private key. Supports OpenSSH, PEM RSA (PKCS#1), and PKCS#8 key formats. Passphrase-protected OpenSSH keys prompt interactively via dialoguer. Uses pure-Rust `rsa ^0.9` + `ssh-key ^0.6` crates to stay Alpine-compatible (no openssl). The existing `show` subcommand (generated code) is left completely untouched. Signed-off-by: dmbuil <dariomartinbuil@outlook.com>
6dac6db to
4a089fe
Compare
Owner
|
Ignore the advisory failure. Would go away once anyhow is updated in lock file |
Author
gtema
requested changes
Jul 6, 2026
Address review feedback on gtema#1817: replace substring-based key format detection in load_rsa_key with tag dispatch via the pem crate. - Encrypted PKCS#8 keys (BEGIN ENCRYPTED PRIVATE KEY) are now decrypted after an interactive passphrase prompt (dialoguer) instead of being rejected with a misleading "traditional PEM" error. Requires the pkcs8 "encryption" feature. - Encrypted traditional PEM keys (Proc-Type: 4,ENCRYPTED header) now actually reach the ssh-keygen conversion hint; previously they matched the "BEGIN RSA PRIVATE KEY" branch first and failed with a generic PKCS#1 parse error. - Unsupported PEM tags are named in the error message. - The passphrase prompt is injectable, making encrypted-key paths unit-testable without a TTY. Signed-off-by: dmbuil <dariomartinbuil@outlook.com>
Address review feedback on gtema#1817: mirror ssh behavior by refusing private key files readable or writable by group/others. Keys must be chmod 600 or stricter (0400 is accepted); the check is a no-op on non-Unix platforms. Signed-off-by: dmbuil <dariomartinbuil@outlook.com>
Address review feedback on gtema#1817: return the decrypted password (and the intermediate plaintext buffer) wrapped in zeroize::Zeroizing so it is zeroed on drop. The private key material is already zeroized on drop by the rsa and ssh-key crates. Best-effort: the copy handed to the output processor as a serde_json::Value is not covered. Signed-off-by: dmbuil <dariomartinbuil@outlook.com>
dmbuil
commented
Jul 6, 2026
dmbuil
left a comment
Author
There was a problem hiding this comment.
Changes reviewed. Definitely more stylish and secure like this :)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a new
osc compute server password show-plaintextsubcommand that retrieves the Nova-encrypted admin password and decrypts it in-process using a caller-supplied SSH private key.Supports OpenSSH, PEM RSA (PKCS#1), and PKCS#8 key formats; passphrase- protected OpenSSH keys prompt interactively via dialoguer. Uses pure-Rust
rsa ^0.9+ssh-key ^0.6crates to stay Alpine-compatible (no openssl). The existingshowsubcommand (generated code) is left completely untouched.