From e5f5379b0913b259d8b3ad760ec23fb1707a6973 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Wed, 15 Sep 2021 10:38:49 -0500 Subject: [PATCH 1/2] Use the system rand reader for SSH keypair generation --- builtin/logical/ssh/path_config_ca.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/builtin/logical/ssh/path_config_ca.go b/builtin/logical/ssh/path_config_ca.go index 5cdb65d33f5c1..3381a64b5aa47 100644 --- a/builtin/logical/ssh/path_config_ca.go +++ b/builtin/logical/ssh/path_config_ca.go @@ -7,6 +7,7 @@ import ( "crypto/x509" "encoding/pem" "fmt" + "io" multierror "github.com/hashicorp/go-multierror" "github.com/hashicorp/vault/sdk/framework" @@ -190,7 +191,7 @@ func (b *backend) pathConfigCAUpdate(ctx context.Context, req *logical.Request, } if generateSigningKey { - publicKey, privateKey, err = generateSSHKeyPair() + publicKey, privateKey, err = generateSSHKeyPair(b.Backend.GetRandomReader()) if err != nil { return nil, err } @@ -264,8 +265,11 @@ func (b *backend) pathConfigCAUpdate(ctx context.Context, req *logical.Request, return nil, nil } -func generateSSHKeyPair() (string, string, error) { - privateSeed, err := rsa.GenerateKey(rand.Reader, 4096) +func generateSSHKeyPair(randomSource io.Reader) (string, string, error) { + if randomSource == nil { + randomSource = rand.Reader + } + privateSeed, err := rsa.GenerateKey(randomSource, 4096) if err != nil { return "", "", err } From 19e894fe005bfd13cc540ca3b25acc5a5de9aa1c Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Wed, 15 Sep 2021 10:41:05 -0500 Subject: [PATCH 2/2] changelog --- changelog/12560.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/12560.txt diff --git a/changelog/12560.txt b/changelog/12560.txt new file mode 100644 index 0000000000000..0b76337b3021f --- /dev/null +++ b/changelog/12560.txt @@ -0,0 +1,3 @@ +```release-note:improvement +secrets/ssh: Use entropy augmentation when available for generation of the signing key. +``` \ No newline at end of file