#12017 New SSH keys for fedorapeople.org
Closed: Fixed with Explanation 16 days ago by kevin. Opened 18 days ago by ppisar.

It seems you have reinstalled fedorapeople.org server (#12008) and RSA SSH of the server has changed. Where can I verify the new SSH keys?


The same question. Maybe display fingerprints somewhere at fedorapeople.org?

So using ssh with VerifyKeyHost DNS kind of works

$ ssh -o 'VerifyHostKeyDNS=yes' fedorapeople.org
The authenticity of host 'fedorapeople.org (2600:2701:4000:5211:dead:beef:a7:9475)' can't be established.
ED25519 key fingerprint is SHA256:rWjv2pnT4nWaH6Xud/ePK2CnVnnJoo7iUlBla0iT5LM.
Matching host key fingerprint found in DNS.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? 

However if you have the older key, it does not seem to check that the DNS changed and tell you the new key is verifiable by DNS. Also if you are going to something like ssh ppisar.fedorapeople.org it will fail because those keys do not seem to match the ones for the server.

Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: high-gain, medium-trouble, ops

18 days ago

Btw looks like DNSSEC isn't available for fedorapeople. According to this blog-post if DNS-record has both SSHFP added, and DNSSEC enabled then SSH will not generate any prompts at all.

Yes, we reinstalled fedorapeople.org

You can be sure of the ssh host keys by using our ssh ca, as all our ssh host keys are signed by it. Add this to your .ssh/known_hosts or the like:
https://admin.fedoraproject.org/ssh_known_hosts

I did miss updating the sshfp wildcard records. So if you sshed to say 'peter.fedorapeople.org' the sshfp records wouldn't have matched. I have pushed a fix so this should now work.

dnssec is definitely enabled for fedorapeople.org: https://dnsviz.net/d/fedorapeople.org/dnssec/
Perhaps you are using a non dnssec aware dns server (like systemd-resolved by default).

I am not sure why DNSSEC isn't available:
The named.conf for it uses the signed version:

zone "fedorapeople.org" {
        type master;
        file "/var/named/master/built/fedorapeople.org.signed";
};

And the zone contains RRSIG entries for the SSHFP. I am going to have to let someone with sysadmin powers to help figure that out.

Thanks Kevin for the certificates. I updated https://fedoraproject.org/wiki/Infrastructure/fedorapeople.org#Accessing_your_fedorapeople.org_space documentation. I confirm the certificates works for me.

I am not sure why DNSSEC isn't available:

That's my mistake - it is available. I just need to setup systemd-resolved to enable it.

@kevin thanks for the tip!

Metadata Update from @kevin:
- Issue assigned to kevin

16 days ago

Thanks. I sent a devel-announce post about the ssh host key changing.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)

16 days ago

Log in to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog