diff --git a/builtin/logical/ssh/path_config_ca.go b/builtin/logical/ssh/path_config_ca.go index 5cdb65d33..3381a64b5 100644 --- a/builtin/logical/ssh/path_config_ca.go +++ b/builtin/logical/ssh/path_config_ca.go @@ -7,6 +7,7 @@ import ( "crypto/x509" "encoding/pem" "fmt" + "io" multierror "github.com/hashicorp/go-multierror" "github.com/hashicorp/vault/sdk/framework" @@ -190,7 +191,7 @@ func (b *backend) pathConfigCAUpdate(ctx context.Context, req *logical.Request, } if generateSigningKey { - publicKey, privateKey, err = generateSSHKeyPair() + publicKey, privateKey, err = generateSSHKeyPair(b.Backend.GetRandomReader()) if err != nil { return nil, err } @@ -264,8 +265,11 @@ func (b *backend) pathConfigCAUpdate(ctx context.Context, req *logical.Request, return nil, nil } -func generateSSHKeyPair() (string, string, error) { - privateSeed, err := rsa.GenerateKey(rand.Reader, 4096) +func generateSSHKeyPair(randomSource io.Reader) (string, string, error) { + if randomSource == nil { + randomSource = rand.Reader + } + privateSeed, err := rsa.GenerateKey(randomSource, 4096) if err != nil { return "", "", err } diff --git a/changelog/12560.txt b/changelog/12560.txt new file mode 100644 index 000000000..0b76337b3 --- /dev/null +++ b/changelog/12560.txt @@ -0,0 +1,3 @@ +```release-note:improvement +secrets/ssh: Use entropy augmentation when available for generation of the signing key. +``` \ No newline at end of file