On Thu, Dec 08, 2022 at 03:41:32PM +0100, Dmitry Belyavskiy wrote: > Dear Daniel, > Thanks for your feedback! > > On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé <berrange@xxxxxxxxxx> > wrote: > > > On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote: > > > The problem we expect is that after reverting the patch we can lose the > > > remote access to the hosts because sshd will reject starting because of > > > group reading permissions. This should be covered by the upgrade > > scriptlet, > > > though we still may come across some issues, especially if you use host > > > keys in non-standard locations. How do we properly implement this feature > > > to avoid customers' negative feedback? Current upgrade scriptlet covers > > > standard key locations/names and works well enough at the 1st glance. > > > > In terms of upgrade impact the upgrade scriptlet may not be sufficient > > to mitigate the compat risk. It is possible that there are puppet/ansible > > recipes that will be setting file ownership/permissions on the keys, > > which might be liable to undo the effect of any RPM upgrade scriptlet. > > > > > The proposed changes are available > > > https://src.fedoraproject.org/rpms/openssh/pull-request/37 > > > > > > A separate question is whether we want to publish this announcement as a > > > Fedora change and at what level. For me it looks like a self-contained > > > change. > > > > Publishing a Fedora change looks like a wise idea, given the upgrade > > risk and its possible ripple effect to OS config mgmt tools like puppet > > and ansible. > > > > Drafted here, to be published: > https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit I think the "Upgrade/compatibility impact" section ought to call out the possible risk with config mgmt tools like puppet/ansible, that might be managing SSH host keys and their permissions/ownership With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
