On Thu, Dec 8, 2022, at 9:51 AM, Daniel P. Berrangé wrote:
> I think the "Upgrade/compatibility impact" section ought to call out the > possible risk with config mgmt tools like puppet/ansible, that might be > managing SSH host keys and their permissions/ownership So that was done with: > The problem we expect is that after implementing the change we can > lose the remote access to the hosts because sshd will reject starting > because of group reading permissions. This should be covered by > upgrade script, though we still may come across some issues, > especially if you use host keys in non-standard location. This is an accurate statement. However, I am sure some system administrators who end up getting surprised and affected by this and lose remote access to their systems and have to take a trip to the data center or whatever may be more emotional ;) There's some related discussion to this in https://src.fedoraproject.org/rpms/openssh/pull-request/39# including an idea to use the MOTD as a way to warn users. I think we at a minimum need to implement a warning *now* and push it out to Fedora stable releases before even trying to land this. Further, I would suggest having a phase between "warn" and "your ssh keys in a nonstandard location no longer work". The in-between phase would be something like "ssh connections in this setup are subject to a 3 second delay, and also fail 1/5 of attempts" or so. That should make the change a lot more likely to be seen. It won't help the admins that only use ssh rarely and somehow miss this change unfortunately. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
