On Thu, Dec 8, 2022, at 9:51 AM, Daniel P. Berrangé wrote:
I think the "Upgrade/compatibility impact" section ought to
call out the
possible risk with config mgmt tools like puppet/ansible, that might be
managing SSH host keys and their permissions/ownership
So that was done with:
The problem we expect is that after implementing the change we can
lose the remote access to the hosts because sshd will reject starting
because of group reading permissions. This should be covered by
upgrade script, though we still may come across some issues,
especially if you use host keys in non-standard location.
This is an accurate statement. However, I am sure some system administrators who end up
getting surprised and affected by this and lose remote access to their systems and have to
take a trip to the data center or whatever may be more emotional ;)
There's some related discussion to this in
https://src.fedoraproject.org/rpms/openssh/pull-request/39# including an idea to use the
MOTD as a way to warn users.
I think we at a minimum need to implement a warning *now* and push it out to Fedora stable
releases before even trying to land this.
Further, I would suggest having a phase between "warn" and "your ssh keys
in a nonstandard location no longer work". The in-between phase would be something
like "ssh connections in this setup are subject to a 3 second delay, and also fail
1/5 of attempts" or so. That should make the change a lot more likely to be seen.
It won't help the admins that only use ssh rarely and somehow miss this change
unfortunately.