in our infra, we are still using the previous step to sign all our sshd host keys and expose the RSA host pub (signed) key (see https://github.com/CentOS/ansible-role-sshd/blob/master/templates/sshd_config.j2#L28)
That was permitting us to just centrally have a cert-authority configured and distributed (see https://github.com/CentOS/ansible-role-sshd/blob/master/defaults/main.yml#L24)
Starting from Fedora 34/35, some clients were still able to connect to some of our infra but not trusting the CA anymore (as being RSA based), and from Stream 9 , it even refuses to connect (see https://bugzilla.redhat.com/show_bug.cgi?id=2060232)
So we have to modernize the algo used in our ssh host key signing setup and push updated signed certs
Metadata Update from @arrfab: - Issue tagged with: centos-ci-infra, centos-common-infra, centos-stream, high-gain, medium-trouble
Metadata Update from @arrfab: - Issue assigned to arrfab
Had a quick look and pushed (staged) a commit to our ansible sshd role.
Basically we'll transition from rsa to ed25519 signed HostCertificate and we'll also sign our sshd host keys on a el8 host, as openssh-8.0p1-12.el8.x86_64 has support to sign with better default algo : from man ssh-keygen :
man ssh-keygen
-t dsa | ecdsa | ed25519 | rsa Specifies the type of key to create. The possible values are “dsa”, “ecdsa”, “ed25519”, or “rsa”. This flag may also be used to specify the desired signature type when signing certificates using a RSA CA key. The available RSA signature variants are “ssh-rsa” (SHA1 signatures, not recommended), “rsa-sha2-256” “rsa-sha2-512” (the default).
Previously on el7 host, it was defaulting to ssh-rsa using so SHA1 signature, not accepted anymore on RHEL9/CentOS 9 and Fedora 36+
It was tested on dev/staging environment and we'll push change for rest of centos infra next week, re-signing sshd host keys (no key change, but just presenting new pub cert to ssh clients)
ansible-role-sshd branch merged into main/prod and applied everywhere. the adhoc-sshd_sign_host_key.yml was also replayed to re-sign existing sshd host keys with newer settings.
adhoc-sshd_sign_host_key.yml
Closing as it was confirmed that it now works by default from a el9 host
Metadata Update from @arrfab: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.