On Thu, Dec 8, 2022, at 9:51 AM, Daniel P. Berrangé wrote:
> I think the "Upgrade/compatibility impact" section ought to call out the
> possible risk with config mgmt tools like puppet/ansible, that might be
> managing SSH host keys and their permissions/ownership
So that was done with:
> The
On Thu, Dec 8, 2022 at 3:51 PM Daniel P. Berrangé
wrote:
> On Thu, Dec 08, 2022 at 03:41:32PM +0100, Dmitry Belyavskiy wrote:
> > Dear Daniel,
> > Thanks for your feedback!
> >
> > On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé
> > wrote:
> >
> > > On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dm
Once upon a time, Dmitry Belyavskiy said:
> Drafted here, to be published:
> https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
I guess the original idea was to reduce the setuid footprint (which is a
good goal). I though host-based auth was deprecated at this point
anyway - it's not enabl
On Thu, Dec 08, 2022 at 03:41:32PM +0100, Dmitry Belyavskiy wrote:
> Dear Daniel,
> Thanks for your feedback!
>
> On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé
> wrote:
>
> > On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote:
> > > The problem we expect is that after revertin
Dear Daniel,
Thanks for your feedback!
On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé
wrote:
> On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote:
> > The problem we expect is that after reverting the patch we can lose the
> > remote access to the hosts because sshd will reject
On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote:
> The problem we expect is that after reverting the patch we can lose the
> remote access to the hosts because sshd will reject starting because of
> group reading permissions. This should be covered by the upgrade scriptlet,
> thou
