rsadecrypt fails using recent ssh-keygen DSA keys #24970
Description
Terraform Version
Terraform v0.12.25
+ provider.aws v2.61.0
Terraform Configuration Files
A complete reproduction case is available.
Debug Output
Expected Behavior
Windows AWS EC2 instances can automatically generate a password for the Administrator account and associate it with EC2 instance metadata using the get_password_data argument on the aws_instance resource. AWS encrypts the password with the rsa private key identified by the key_name argument on the aws_instance resource. The rsadecrypt function was added to terraform to support decrypting this value in PR #16647.
Note that all keys in this repository and generated passwords were generated for this exercise alone and are safe to be shared publicly. These are not confidential or used for anything else, and the infrastructure shown for this output has since been destroyed.
The rsadecrypt function should provide the plain-text representation of the password that was encrypted using the public key by AWS. When using the ssh-keygen command from Linux to generate this RSA key pair, this is successful. When using ssh-keygen from OS X 10.15.4, it is not successful.
Actual Behavior
When using an rsa key pair generated by OS X ssh-keygen, terraform exits with the following error:
Error: Error in function call
on example.tf line 130, in output "password_decrypted":
130: value=rsadecrypt(aws_instance.windows2019.password_data, file("${path.module}/${var.rsa_private_key_file}") )
|----------------
| aws_instance.windows2019.password_data is "I91Vapc4zdkxopkh4l8hNY5O1TwE5NMwCV+GvbycR4HLMRQoLn5TV8+fdrSbu4NyWlu1rKbAEjP0LO+y1nf49D/5hB3jXtLu2ZH+bHKIBeYH9ojnqwp3qCkOdUkrebx58MWK2n1+26JsibpVcjiVG5oNBT8t4h/aSwMREzw6mGiO6PPNDSFp3xQsBVh5H8ymCg8pD6b0nvu/7jwizE+tXS4BANYehhJgIwPR6VytZT693Oz+TlOsEjJZ6wBQZaULJkDyumOo3Xr/pIBcEqPGkDucZLipjcup1Mi3zyoSSLtiRGFQpqT9tIXSTf/0gPpgu9nM6TsmpdyABWoaA0ZMVbpCAf6puwkYQUwfXdyCnXvloCUdQQzY3a/EO/HK1mj4psldacqRNj85QHFWXA20Foj2Pcle5OvUZh+uKEL2gAIxHwfOXZC1xoONvymUIYkA3wtZK2pUpQgcWVYf4AggrEPsqGxwMGfybvO79XM7a10sn6JhADVlsja0vpOK9881"
| path.module is "."
| var.rsa_private_key_file is "id_rsa_from_osx"
Call to function "rsadecrypt" failed: asn1: structure error: tags don't match
(16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false
explicit:false application:false private:false defaultValue:<nil> tag:<nil>
stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2.
Steps to Reproduce
See more detailed reproduction steps in the linked github repository.
Additional Context
This basically breaks Windows EC2 provisioning because terraform can no longer decrypt the admin password. If people feed that password into a provisioner, the whole provisioning flow is broken. I think that detecting this situation and providing a better error message that points people to the workaround (e.g. copy-pastable openssh / ssh-keygen command string for how to generate a usable key-pair) would be plausible if the root issue is too hard to solve.
References
Similar errors have been reported in
concourse/concourse#2592 which linked to golang/go#18634
According to their discussion forum
- ssh-keygen(1): write OpenSSH format private keys by default
instead of using OpenSSL's PEM format. The OpenSSH format,
supported in OpenSSH releases since 2014 and described in the
PROTOCOL.key file in the source distribution, offers substantially
better protection against offline password guessing and supports
key comments in private keys. If necessary, it is possible to write
old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments
when generating or updating a key.
This has also come up in discuss:
https://discuss.hashicorp.com/t/how-to-rsadecrypt-and-get-password-data-from-aws-windows-server-instance/7474