From 7a1d260a358229e6c7f8d92dae312733eb43dbe7 Mon Sep 17 00:00:00 2001
From: Samuel James <143277412+SamuelSJames@users.noreply.github.com>
Date: Sat, 20 Jun 2026 08:45:02 -0400
Subject: [PATCH] Enable OpenSSL legacy provider for old-format encrypted SSH
 keys (#17)

* Add editable display-name field to generic integrations

Lets users set a custom name for Proxmox, Docker, AWS, Remote Desktop,
Netbird, Cloudflare, Uptime Kuma, and Weather integrations, separate
from the host/IP field, mirroring the SSH host rename pattern.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016kF4hZWEkRCPPvCZTeXxn4

* Surface the new-integration name field as a labeled input

The name field for new generic integrations was a faint header input
with only placeholder text, easy to miss. Move it into the form grid
as a proper labeled "Name" field next to the other connection fields.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016kF4hZWEkRCPPvCZTeXxn4

* Add file upload for SSH private key and certificate fields

Lets users pick a key file from disk (e.g. ~/.ssh) instead of pasting
its contents into the Private Key / OPKSSH Certificate fields.

* Fix SSH private key paste corrupting multi-line PEM format

Private Key and Certificate fields were single-line <input> elements,
which strip newlines on paste and corrupt PEM-formatted keys (causing
'Unsupported key format' errors). Render them as multi-line textareas
instead so pasted keys keep their line breaks.

* Enable OpenSSL legacy provider for old-format encrypted SSH keys

OpenSSL 3's default provider disables the MD5-based KDF used by
traditional encrypted PEM keys (BEGIN RSA PRIVATE KEY + DEK-Info
headers), causing "error in libcrypto: unsupported" when the ssh
binary tries to decrypt them for certificate-based auth.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016kF4hZWEkRCPPvCZTeXxn4

---------

Co-authored-by: Claude <noreply@anthropic.com>
---
 backend/Dockerfile | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/backend/Dockerfile b/backend/Dockerfile
index a28ef01..4909e4e 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -18,5 +18,25 @@ RUN apk add --no-cache python3 make g++ openssh-client
 COPY package.json package-lock.json* ./
 RUN npm install --omit=dev
 COPY --from=build /app/dist ./dist
+# Old-format encrypted PEM keys (e.g. "BEGIN RSA PRIVATE KEY" + DEK-Info) rely on an
+# MD5-based KDF that OpenSSL 3's default provider disables. Enable the legacy provider
+# so `ssh` (used for certificate-based auth) can still decrypt these keys.
+RUN { \
+      echo 'openssl_conf = openssl_init'; \
+      echo ''; \
+      echo '[openssl_init]'; \
+      echo 'providers = provider_sect'; \
+      echo ''; \
+      echo '[provider_sect]'; \
+      echo 'default = default_sect'; \
+      echo 'legacy = legacy_sect'; \
+      echo ''; \
+      echo '[default_sect]'; \
+      echo 'activate = 1'; \
+      echo ''; \
+      echo '[legacy_sect]'; \
+      echo 'activate = 1'; \
+    } > /etc/ssl/openssl-legacy.cnf
+ENV OPENSSL_CONF=/etc/ssl/openssl-legacy.cnf
 EXPOSE 4000
 CMD ["node", "dist/server.js"]