Kevin Fenzi wrote: > On Thu, Mar 30, 2023 at 11:57:45AM -0400, Frank Ch. Eigler wrote: >> Hi - >> >>> So, as part of our outages yesterday I reinstalled bastion01 (and 02 a >>> few days before) with rhel9. This means it's ssh host key changed. >> >> There was no way of saving & restoring the former host key? > > I could get it back. But at this point I think it's better to figure out > how to never hit it again. ;) > >>> 1. Enable sshfp: >>> Add in your .ssh/config the following to the entry for >>> bastion/fedora-infrastructure hosts: >>> VerifyHostKeyDNS yes >>> This will get the ssh fingerprint from dns and confirm it matches. >> >> (This is enabled but f37 ssh still rejects the change.) > > Odd. It definitely used to work. I can look more when I get a chance. > I did update the SSHFP records. The VerifyHostKeyDNS does require secure DNS to avoid any confirmation prompt. Without DNSSEC, `VerifyHostKeyDNS yes` is the same as `VerifyHostKeyDNS ask`. Perhaps that's the issue in Frank's case? -- Todd
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
