Dear Daniel,
Thanks for your feedback!
On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé <berrange(a)redhat.com>
wrote:
> On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote:
> > The problem we expect is that after reverting the patch we can lose the
> > remote access to the hosts because sshd will reject starting because of
> > group reading permissions. This should be covered by the upgrade
> scriptlet,
> > though we still may come across some issues, especially if you use host
> > keys in non-standard locations. How do we properly implement this feature
> > to avoid customers' negative feedback? Current upgrade scriptlet covers
> > standard key locations/names and works well enough at the 1st glance.
>
> In terms of upgrade impact the upgrade scriptlet may not be sufficient
> to mitigate the compat risk. It is possible that there are puppet/ansible
> recipes that will be setting file ownership/permissions on the keys,
> which might be liable to undo the effect of any RPM upgrade scriptlet.
>
> > The proposed changes are available
> >
https://src.fedoraproject.org/rpms/openssh/pull-request/37
> >
> > A separate question is whether we want to publish this announcement as a
> > Fedora change and at what level. For me it looks like a self-contained
> > change.
>
> Publishing a Fedora change looks like a wise idea, given the upgrade
> risk and its possible ripple effect to OS config mgmt tools like puppet
> and ansible.
>
Drafted here, to be published:
https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
I think the "Upgrade/compatibility impact" section ought to call out the
possible risk with config mgmt tools like puppet/ansible, that might be
managing SSH host keys and their permissions/ownership
With regards,
Daniel
--
|: