-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
manifests: fedora-coreos-base: remove temporary support for RSA-SHA1 keys on F33 #702
manifests: fedora-coreos-base: remove temporary support for RSA-SHA1 keys on F33 #702
Conversation
I opened this against |
Maybe I'm missing something here but...isn't this more fundamentally that the crypto policy change is probably going to break a lot of Fedora users in general on AWS? |
No. RSA keys are still valid, but the RSA authentication handshake now requires a different hash algorithm. So the problem only affects old client implementations (the Go SSH client, the Ruby SSH for Vagrant, etc.) that don't support the new algos. |
Right, I understand. I guess the debate here comes down to the values of "a lot". |
The relationship with AWS is that on other clouds ecdsa or hopefully also ed25519 keys are valid which sidesteps the problem. Although have we done that analysis on a per-cloud basis? In a quick spot check it looks like GCP supports all those key types. |
coreos/coreos-assembler#1797 was obsoleted by coreos/coreos-assembler#1799 (which merged). Kicking off a CI run here. |
da0ae05
to
c3144ad
Compare
CI passed. Rebasing on |
c3144ad
to
20fff4a
Compare
20fff4a
to
5a81519
Compare
…keys on F33 We added this in be947c2 because we needed to still be able to run kola tests on AWS. Now we have a new workaround in COSA [1] so we don't need to downgrade the policy for SSH in the image. [1] coreos/coreos-assembler#1797
5a81519
to
e034d63
Compare
hmm and it looks like CI gets in a weird state if you switch the target branch. Since CI already passed once I'm going to merge this and deal with the consequences (hopefully none) later. |
We added this in be947c2 because we needed to still be able to run kola
tests on AWS. Now we have a new workaround in COSA [1] so we don't need
to downgrade the policy for SSH in the image.
[1] coreos/coreos-assembler#1797