Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

manifests: fedora-coreos-base: remove temporary support for RSA-SHA1 keys on F33 #702

Conversation

dustymabe
Copy link
Member

We added this in be947c2 because we needed to still be able to run kola
tests on AWS. Now we have a new workaround in COSA [1] so we don't need
to downgrade the policy for SSH in the image.

[1] coreos/coreos-assembler#1797

@dustymabe
Copy link
Member Author

I opened this against next-devel for now. Will rebase onto testing-devel once the tests pass (which will need coreos/coreos-assembler#1797 before they will pass).

@dustymabe dustymabe added the hold label Oct 20, 2020
@cgwalters
Copy link
Member

Maybe I'm missing something here but...isn't this more fundamentally that the crypto policy change is probably going to break a lot of Fedora users in general on AWS?

@bgilbert
Copy link
Contributor

Maybe I'm missing something here but...isn't this more fundamentally that the crypto policy change is probably going to break a lot of Fedora users in general on AWS?

No. RSA keys are still valid, but the RSA authentication handshake now requires a different hash algorithm. So the problem only affects old client implementations (the Go SSH client, the Ruby SSH for Vagrant, etc.) that don't support the new algos.

@cgwalters
Copy link
Member

Right, I understand. I guess the debate here comes down to the values of "a lot".

@cgwalters
Copy link
Member

The relationship with AWS is that on other clouds ecdsa or hopefully also ed25519 keys are valid which sidesteps the problem. Although have we done that analysis on a per-cloud basis?

In a quick spot check it looks like GCP supports all those key types.

@cgwalters
Copy link
Member

@dustymabe
Copy link
Member Author

coreos/coreos-assembler#1797 was obsoleted by coreos/coreos-assembler#1799 (which merged). Kicking off a CI run here.

@dustymabe dustymabe force-pushed the dusty-remove-rsa-crypto-policy-downgrade branch from da0ae05 to c3144ad Compare October 20, 2020 21:57
@dustymabe
Copy link
Member Author

CI passed. Rebasing on testing-devel now and if CI passes will merge.

@dustymabe dustymabe force-pushed the dusty-remove-rsa-crypto-policy-downgrade branch from c3144ad to 20fff4a Compare October 20, 2020 23:16
@dustymabe dustymabe changed the base branch from next-devel to testing-devel October 20, 2020 23:16
@dustymabe dustymabe force-pushed the dusty-remove-rsa-crypto-policy-downgrade branch from 20fff4a to 5a81519 Compare October 20, 2020 23:16
…keys on F33

We added this in be947c2 because we needed to still be able to run kola
tests on AWS. Now we have a new workaround in COSA [1] so we don't need
to downgrade the policy for SSH in the image.

[1] coreos/coreos-assembler#1797
@dustymabe dustymabe force-pushed the dusty-remove-rsa-crypto-policy-downgrade branch from 5a81519 to e034d63 Compare October 20, 2020 23:20
@dustymabe
Copy link
Member Author

hmm and it looks like CI gets in a weird state if you switch the target branch. Since CI already passed once I'm going to merge this and deal with the consequences (hopefully none) later.

@dustymabe dustymabe merged commit 6cf2852 into coreos:testing-devel Oct 20, 2020
@dustymabe dustymabe deleted the dusty-remove-rsa-crypto-policy-downgrade branch October 20, 2020 23:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants