Skip to content

feat(compute): Add server show-plaintext#1817

Open
dmbuil wants to merge 4 commits into
gtema:mainfrom
dmbuil:feature-server-password-show-plaintext
Open

feat(compute): Add server show-plaintext#1817
dmbuil wants to merge 4 commits into
gtema:mainfrom
dmbuil:feature-server-password-show-plaintext

Conversation

@dmbuil

@dmbuil dmbuil commented Jun 30, 2026

Copy link
Copy Markdown

Adds a new osc compute server password show-plaintext subcommand that retrieves the Nova-encrypted admin password and decrypts it in-process using a caller-supplied SSH private key.

Supports OpenSSH, PEM RSA (PKCS#1), and PKCS#8 key formats; passphrase- protected OpenSSH keys prompt interactively via dialoguer. Uses pure-Rust rsa ^0.9 + ssh-key ^0.6 crates to stay Alpine-compatible (no openssl). The existing show subcommand (generated code) is left completely untouched.

@dmbuil dmbuil changed the title feat(compute): add server password show-plaintext command feat(compute): Add server show-plaintext Jul 1, 2026
@dmbuil

dmbuil commented Jul 1, 2026

Copy link
Copy Markdown
Author

I've renamed the PR to fit the 59-char length, as well as capitalize Add.

@gtema

gtema commented Jul 1, 2026

Copy link
Copy Markdown
Owner

I've renamed the PR to fit the 59-char length, as well as capitalize Add.

this need to be done with the commit (amend and force-push) and not the PR

@dmbuil dmbuil force-pushed the feature-server-password-show-plaintext branch from a39179b to 6dac6db Compare July 1, 2026 17:54
Adds a new `osc compute server password show-plaintext`
subcommand that retrieves the Nova-encrypted admin password
and decrypts it in-process using a caller-supplied SSH
private key.

Supports OpenSSH, PEM RSA (PKCS#1), and PKCS#8 key formats.
Passphrase-protected OpenSSH keys prompt interactively via
dialoguer. Uses pure-Rust `rsa ^0.9` + `ssh-key ^0.6` crates
to stay Alpine-compatible (no openssl). The existing `show`
subcommand (generated code) is left completely untouched.

Signed-off-by: dmbuil <dariomartinbuil@outlook.com>
@dmbuil dmbuil force-pushed the feature-server-password-show-plaintext branch from 6dac6db to 4a089fe Compare July 1, 2026 18:04
@gtema

gtema commented Jul 4, 2026

Copy link
Copy Markdown
Owner

Ignore the advisory failure. Would go away once anyhow is updated in lock file

@dmbuil

dmbuil commented Jul 5, 2026

Copy link
Copy Markdown
Author

There's this advisory RUSTSEC-2023-0071 which has to do with Marvin vulnerability. Since the RSA crate (rsa 0.9.10) is used locally only, it doesn't apply. Should I ignore it for now, @gtema ?

Comment thread cli/compute/src/v2/server/server_password/show_plaintext.rs Outdated
Comment thread cli/compute/src/v2/server/server_password/show_plaintext.rs
Comment thread cli/compute/src/v2/server/server_password/show_plaintext.rs Outdated
dmbuil added 3 commits July 6, 2026 17:12
Address review feedback on gtema#1817: replace substring-based key format
detection in load_rsa_key with tag dispatch via the pem crate.

- Encrypted PKCS#8 keys (BEGIN ENCRYPTED PRIVATE KEY) are now decrypted
  after an interactive passphrase prompt (dialoguer) instead of being
  rejected with a misleading "traditional PEM" error. Requires the
  pkcs8 "encryption" feature.
- Encrypted traditional PEM keys (Proc-Type: 4,ENCRYPTED header) now
  actually reach the ssh-keygen conversion hint; previously they
  matched the "BEGIN RSA PRIVATE KEY" branch first and failed with a
  generic PKCS#1 parse error.
- Unsupported PEM tags are named in the error message.
- The passphrase prompt is injectable, making encrypted-key paths
  unit-testable without a TTY.

Signed-off-by: dmbuil <dariomartinbuil@outlook.com>
Address review feedback on gtema#1817: mirror ssh behavior by refusing
private key files readable or writable by group/others. Keys must be
chmod 600 or stricter (0400 is accepted); the check is a no-op on
non-Unix platforms.

Signed-off-by: dmbuil <dariomartinbuil@outlook.com>
Address review feedback on gtema#1817: return the decrypted password (and
the intermediate plaintext buffer) wrapped in zeroize::Zeroizing so it
is zeroed on drop. The private key material is already zeroized on
drop by the rsa and ssh-key crates.

Best-effort: the copy handed to the output processor as a
serde_json::Value is not covered.

Signed-off-by: dmbuil <dariomartinbuil@outlook.com>

@dmbuil dmbuil left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes reviewed. Definitely more stylish and secure like this :)

@dmbuil dmbuil requested a review from gtema July 6, 2026 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants