Skip to content

Conversation

michelroegl-brunner
Copy link
Member

Overview

This PR adds comprehensive SSH key authentication support and custom SSH port configuration to the PVE Scripts Local application.

Features Added

🔐 SSH Key Authentication

  • Multiple authentication methods: Password-only, SSH key-only, or both
  • Flexible key input: Upload private key files or paste key content directly
  • Passphrase support: Handle encrypted SSH keys with optional passphrases
  • Secure key handling: Temporary files with proper permissions (0600) and automatic cleanup

🔌 Custom SSH Port Support

  • Configurable ports: Default to port 22, but allow any valid port (1-65535)
  • Database integration: Store custom ports in server configuration
  • Full compatibility: Works with all SSH operations (testing, execution, file transfer)

Technical Implementation

Database Schema Updates

  • Added auth_type column: password | key | both
  • Added ssh_key column: Stores private key content
  • Added ssh_key_passphrase column: Optional encrypted passphrase
  • Added ssh_port column: Custom SSH port (default: 22)
  • Backward-compatible migrations for existing servers

Backend Services

  • SSH Service: Enhanced connection testing with key authentication
  • SSH Execution Service: Script execution and file transfer with key auth
  • Security: Proper temporary file management and cleanup
  • Error Handling: Clear distinction between password and key auth failures

Frontend Components

  • SSHKeyInput Component: Reusable component for key upload/paste
  • ServerForm Updates: Dynamic form fields based on auth type
  • Validation: SSH key format validation and port range validation
  • UX: Clear authentication method selection and field visibility

API Routes

  • Server Creation: Handle new authentication fields and validation
  • Server Updates: Support changing authentication methods
  • Connection Testing: Test both password and key authentication

Security Considerations

Implemented Security Measures:

  • Temporary key files created with 0600 permissions
  • Automatic cleanup of temporary files after operations
  • No logging or exposure of private keys in error messages
  • SSH key format validation before storage
  • Proper null checks and type safety

Testing

  • ✅ Build process passes with no TypeScript errors
  • ✅ All authentication methods tested (password, key, both)
  • ✅ Custom port support verified across all SSH operations
  • ✅ Backward compatibility maintained for existing servers

Breaking Changes

None - this is fully backward compatible. Existing servers will continue to work with password authentication.

Migration

Existing servers automatically migrate to use auth_type=password and ssh_port=22 with no user intervention required.


Ready for review and testing! 🚀

- Add SSH key authentication support with three modes: password, key, or both
- Add custom SSH port support (defaults to 22)
- Create SSHKeyInput component with file upload and paste modes
- Update database schema with auth_type, ssh_key, ssh_key_passphrase, and ssh_port columns
- Update TypeScript interfaces to support new authentication fields
- Update SSH services to handle key authentication and custom ports
- Update ServerForm with authentication type selection and SSH port field
- Update API routes with validation for new fields
- Add proper cleanup for temporary SSH key files
- Support for encrypted SSH keys with passphrase protection
- Maintain backward compatibility with existing password-only servers
- Replace || operators with ?? (nullish coalescing) for better type safety
- Add proper null checks for password fields in SSH services
- Fix JSDoc type annotations for better TypeScript inference
- Update error object types to use Record<keyof CreateServerData, string>
- Ensure all SSH authentication methods handle optional fields correctly
@michelroegl-brunner michelroegl-brunner requested a review from a team as a code owner October 10, 2025 07:06
@michelroegl-brunner michelroegl-brunner merged commit ff1ab35 into main Oct 10, 2025
4 checks passed
@michelroegl-brunner michelroegl-brunner deleted the feat/ssh-key-authentication branch October 14, 2025 06:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant