Ssh/sign fails with "failed to parse public_key as SSH key: illegal base64 data at input byte 0"

pvandervelde · January 7, 2020, 10:00am

I’m trying to get SSH host signing working with Vault and Consul-Template. The template file for Consul-Template looks like:

{{ $contents := file "/etc/ssh/ssh_host_rsa_key.pub" }}{{ with secret "ssh-host/sign/ssh.host.linux" "cert_type=host" "public_key=$contents" }}{{ .Data.signed_key }}{{ end }}

The SSH public key file looks like (note this is an example key for a test VM):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDxE3HPu3ZejCJyhYM/da0jIlTKjVlsXEczaiUOrrrr9QPi0InCuU3tZEBSxZ5Xa6bG0iNb/FNEhhPztxgmD9hM7h+54r7fWbW4Zbk3HJFfWeym+EnAzmDx28ImY07XKlTrCok/qV9SrLm+cjt459wzJSAUsTBS2t+D2OnFlVPoM0NKorgO9tepHpMWL9ylG4Xt3M8NtxE0kZksVVv8iuynEeLdzogQbVc+rIU+Xomw5NUxmENJ/8pGFa3WsZnxdbmURlXzCoHAUwLO3Rd1C8LElBNh963mMF1mSx99WqkVDmiaVamtnqRjU3e/YYrr1T9NzT4yGywKiasTUKooTFi9 root@ubuntu-18-04-3

When Consul-Template tries to execute the template it fails with:

(view) vault.write(ssh-host/sign/ssh.host.linux -> 564133f1): vault.write(ssh-host/sign/ssh.host.linux -> 564133f1):
URL: PUT http://active.secrets.service.integrationtest:8200/v1/ssh-host/sign/ssh.host.linux
Code: 400. Errors:
* failed to parse public_key as SSH key: illegal base64 data at input byte 0 (retry attempt 3 after "1s")

Looking at the Vault code for parsing the key it looks like Vault is smart enough to throw away the first and last bit of the key file and only use the middle bit.

The key was automatically generated (?) when the VM was first started (I think it works that way, I didn’t manually generate it and as far as I can tell the key was there the first time I connected).

I would have expected the key to be generated in the correct format but it is well possible that there is a setting somewhere that I have missed.

Does anybody know what configuration / conversions I have missed to make this work?

pvandervelde · January 12, 2020, 12:23am

It turns out that the error was due to the fact that my template was wrong. It should have been

{{ $contents := file "/etc/ssh/ssh_host_rsa_key.pub" | trimSpace }}{{ $pair := printf "public_key=%s" $contents }}{{ with secret "ssh-host/sign/ssh.host.linux" "cert_type=host" $pair }}{{ .Data.signed_key }}{{ end }}

Apparently Consul-Template cannot / does not process variables inside quotes, however if you create a variable that contains the key-value pair and pass that to the secret function it will work.

BoopathirajS · November 30, 2022, 8:34am

I am also stuck at same error. But its not in consul. Its plain vault write

vault write -field=signed_key ssh-user-ca/sign/ssh-test public_key=B_mac.pub valid_principals=“vadmin” > B_mac_cert.pub
Error writing data to ssh-user-ca/sign/ssh-test: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/ssh-user-ca/sign/ssh-test
Code: 400. Errors:

*** failed to parse public_key as SSH key: illegal base64 data at input byte 1**

maxb · November 30, 2022, 10:45am

You sent the literal string

to Vault as your SSH key. Of course, that’s not a valid SSH key.

Re-check the docs - you need a leading @ sign to tell the Vault CLI to read a file and substitute it’s contents as a parameter.

alexcupertme · September 9, 2024, 5:09pm

You’re lifesaver! Stuck into this problem also and this only thread along the Google helped me.

Topic		Replies	Views
Consul-Template secret parameter with spaces Consul	3	1648	January 10, 2021
Vault SSH CA can't get allowed_users_template to work Vault vault	2	1072	January 27, 2022
Vault agent template: supplying map field to the ssh ca secret engine Vault consul-template , vault , consul-vault	0	144	January 5, 2024
How to use raw data from vault Vault	3	1605	February 17, 2021
HCSEC-2022-16 - Consul Template May Expose Vault Secrets When Processing Invalid Input Security	0	7899	August 16, 2022

Ssh/sign fails with "failed to parse public_key as SSH key: illegal base64 data at input byte 0"

Related topics