On Thu, Dec 8, 2022 at 3:51 PM Daniel P. Berrangé <berra...@redhat.com> wrote:
> On Thu, Dec 08, 2022 at 03:41:32PM +0100, Dmitry Belyavskiy wrote: > > Dear Daniel, > > Thanks for your feedback! > > > > On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé <berra...@redhat.com> > > wrote: > > > > > On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote: > > > > The problem we expect is that after reverting the patch we can lose > the > > > > remote access to the hosts because sshd will reject starting because > of > > > > group reading permissions. This should be covered by the upgrade > > > scriptlet, > > > > though we still may come across some issues, especially if you use > host > > > > keys in non-standard locations. How do we properly implement this > feature > > > > to avoid customers' negative feedback? Current upgrade scriptlet > covers > > > > standard key locations/names and works well enough at the 1st glance. > > > > > > In terms of upgrade impact the upgrade scriptlet may not be sufficient > > > to mitigate the compat risk. It is possible that there are > puppet/ansible > > > recipes that will be setting file ownership/permissions on the keys, > > > which might be liable to undo the effect of any RPM upgrade scriptlet. > > > > > > > The proposed changes are available > > > > https://src.fedoraproject.org/rpms/openssh/pull-request/37 > > > > > > > > A separate question is whether we want to publish this announcement > as a > > > > Fedora change and at what level. For me it looks like a > self-contained > > > > change. > > > > > > Publishing a Fedora change looks like a wise idea, given the upgrade > > > risk and its possible ripple effect to OS config mgmt tools like puppet > > > and ansible. > > > > > > > Drafted here, to be published: > > https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit > > I think the "Upgrade/compatibility impact" section ought to call out the > possible risk with config mgmt tools like puppet/ansible, that might be > managing SSH host keys and their permissions/ownership > Done, thanks! -- Dmitry Belyavskiy
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
