[HEADS UP] OpenSSH with updated sshd-keygen in Rawhide (and F24?) (#1325535)

Wed, 13 Apr 2016 05:39:09 -0700 

Hi devels,
after few iterations with systemd people we managed to put together new (instantiated by key) sshd-keygen service complying with packaging guidelines and improving usability [1]. It is currently built for Rawhide [2]. 


I understand it is not quite good time, but it would be great to push 
this also into the Fedora 24 so we would not have to wait another 
release cycle to test it properly. Let me know if you have some concerns 
against updating F24 package in this phase, check the frequently asked 
questions below, or answer this email.



QA session:

What is even the sshd-keygen service?

 * It is one-shot service running during first boot, before starting  
sshd  server. It takes care of generating host keys and it also can 
create you new host keys if you are interested in new set.


What was wrong with the old version?
 * It was basically init.d script moved into the /sbin/

What is better on the new one?

 * If you want to configure generation of different keys than default 
set, you need to do that on three places:

   * Modify  AUTOCREATE_SERVER_KEYS  in  /etc/sysconfig/sshd
   * Modify  /etc/systemd/system/sshd-keygen.service  to trigger script
   * systemctl daemon-reload

 * With new version, it should be possible to enable/disable key type 
generation simply using

   * systemctl enable sshd-keygen@dsa.service

What are changes to existing systems?
 * Default installations should not notice any difference

 * If you modified AUTOCREATE_SERVER_KEYS, you need to do appropriate 
enable/disable for your interested key.

 * New installations should create default keys as before.

Fedora 23?
* No, this change will not go into Fedora 23 to "break" existing setups.

If you have some more questions, add your own. Also comments are welcomed.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1325535
[2] http://koji.fedoraproject.org/koji/taskinfo?taskID=13645383

Regards,

--
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org






















					Reply via email to