Re: fedorapeople.org updated (including new ssh host key)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jul 03, 2024 at 07:01:05AM GMT, Peter Boy wrote:
> 
> 
> > Am 02.07.2024 um 23:50 schrieb Kevin Fenzi <kevin@xxxxxxxxx>:
> > 
> > On Tue, Jul 02, 2024 at 02:21:40PM GMT, Chris Adams wrote:
> >> Once upon a time, Kevin Fenzi <kevin@xxxxxxxxx> said:
> >>> Please see https://fedoraproject.org/wiki/Infrastructure/fedorapeople.org
> >>> For more information, including information on adding our SSH CA or
> >>> using dnssec / sshfp to verify the ssh host key of the new host.
> >> 
> >> AFAIK the default Fedora setup with systemd-resolved does not support
> >> DNSSEC for ssh using SSHFP records, and also the default SSH config
> >> doesn't have VerifyHostKeyDNS enabled (so even if ssh could get the
> >> record, with DNSSEC, it wouldn't use it).
> > 
> > Yep, you need to enable dnssec in systemd-resolved (and have a
> > nameserver that supports it) and set VerifyHostKeyDNS=yes in ssh_config.
> > 
> > For that reason, I would say just adding the fedoraproject CA to
> > known_hosts is much easier. (And also works for other fedoraproject.org
> > hosts).
> 
> 
> Maybe we need a more extensive documentation for this? Something like:

Docs are always good. 

Note that the audience for these is fedora contributors that have access
to fedorapeople.org, not all fedora users.

> 1. minimal action
> - What do you achieve (just use the functionality as you did before)
> - Deal with the message "… authenticity of host … can't be established.“
> 
> 2. Use optional functionality
> - SSH CA
> —- What do you achieve
> —- How to configure
> - dnssec
> —- What do you achieve
> —- How to configure

Well, I think probibly we should just tell folks to add the CA to their
known_hosts and then perhaps as a aside mention sshfp records and such.
Thats much harder to setup right.

> We could do that by creating a Quick Doc article or by adding a section to the current Wiki page. 

The wiki page could always use improvement...

I guess at some point ideally we would move docs like this off the wiki
and under docs.fedoraproject.org somewhere ( under the infra space seems
not fully right, but I guess it could be there if nothing else comes to
mind ).

Attachment: signature.asc
Description: PGP signature

-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux