Re: bastion ssh host key change 2023-03-29

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 30/03/2023 22:25, Kevin Fenzi wrote:
On Thu, Mar 30, 2023 at 04:11:45PM -0400, Frank Ch. Eigler wrote:
Hi -

The VerifyHostKeyDNS does require secure DNS to avoid any
confirmation prompt.  Without DNSSEC, `VerifyHostKeyDNS yes`
is the same as `VerifyHostKeyDNS ask`.

OK, that's one thing to check/fix.

Ah yeah, that could well be the case.

Perhaps that's the issue in Frank's case?

Plus: bastion-iad01.fedoraproject.org. appears to lack the SSHFP records.

We should drop that from dns. It was only used when we were moving from
phx2 to iad2. There should be 3 things in dns:

bastion01.fedoraproject.org
bastion02.fedoraproject.org
bastion.fedoraproject.org

with the last one being a CNAME for whichever one is default
(currently 01).

Anyhow, the ssh access SOP should be updated with all this info.

Probibly sshfp isn't worth doing these days and we should just stick
with the certificate signed config.

+1 to that ..
While it's possible to automate SSHFP (to a kind of delegated/dynamic zone), I prefer just relying on signed host certificate : just trust the CA once and enjoy forever :)

FWIW, that's also what we do for centos.org infra

--
Fabian Arrotin
gpg key: 17F3B7A1

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux