On Thu, Dec 08, 2022 at 03:41:32PM +0100, Dmitry Belyavskiy wrote:
> Dear Daniel,
> Thanks for your feedback!
>
> On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé <berrange@redhat.com>
> wrote:
>
> > On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote:
> > > The problem we expect is that after reverting the patch we can lose the
> > > remote access to the hosts because sshd will reject starting because of
> > > group reading permissions. This should be covered by the upgrade
> > scriptlet,
> > > though we still may come across some issues, especially if you use host
> > > keys in non-standard locations. How do we properly implement this feature
> > > to avoid customers' negative feedback? Current upgrade scriptlet covers
> > > standard key locations/names and works well enough at the 1st glance.
> >
> > In terms of upgrade impact the upgrade scriptlet may not be sufficient
> > to mitigate the compat risk. It is possible that there are puppet/ansible
> > recipes that will be setting file ownership/permissions on the keys,
> > which might be liable to undo the effect of any RPM upgrade scriptlet.
> >
> > > The proposed changes are available
> > > https://src.fedoraproject.org/rpms/openssh/pull-request/37
> > >
> > > A separate question is whether we want to publish this announcement as a
> > > Fedora change and at what level. For me it looks like a self-contained
> > > change.
> >
> > Publishing a Fedora change looks like a wise idea, given the upgrade
> > risk and its possible ripple effect to OS config mgmt tools like puppet
> > and ansible.
> >
>
> Drafted here, to be published:
> https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit

I think the "Upgrade/compatibility impact" section ought to call out the
possible risk with config mgmt tools like puppet/ansible, that might be
managing SSH host keys and their permissions/ownership