Skip to content

mantle: make kola use ecdsa SSH keys #1749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 2, 2020
Merged

mantle: make kola use ecdsa SSH keys #1749

merged 1 commit into from
Oct 2, 2020

Conversation

dustymabe
Copy link
Member

Upstream SSH has been claiming [1] for a few releases now that:

It is now possible to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.

In Fedora we switched recently [2] to disallow ssh-rsa so we need to
switch our tools to a different type of key.

[1] https://www.openssh.com/txt/release-8.3
[2] https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/b298a9e107b7e9699b36879eca031d1900ded1c4

@dustymabe
Copy link
Member Author

This is needed for the switch to Fedora 33 so our tests can run.

@travier
Copy link
Member

travier commented Oct 1, 2020

This looks good to me but to be more precise, it's RSA-SHA1 that is being deprecated not RSA 2048+ with SHA2+. I don't know why this is interpreted as RSA-SHA1 by the agent though so I would say let's go with this.

cgwalters
cgwalters reviewed Oct 1, 2020
View reviewed changes
Copy link
Member

@cgwalters cgwalters left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like the unit test needs fixing.

Seems OK to me but I also personally prefer ed25519 keys. See https://www.google.com/search?client=firefox-b-1-d&q=ecdsa+vs+ed25519

@dustymabe dustymabe force-pushed the dusty-kola-update-ssh-key branch from 59ba03f to e0751e3 Compare October 1, 2020 19:48
@dustymabe
Copy link
Member Author

Looks like the unit test needs fixing.

Thanks Walters, fixed!

@dustymabe dustymabe mentioned this pull request Oct 1, 2020
Closed
@jlebon
Copy link
Member

jlebon commented Oct 1, 2020

/lgtm

@cgwalters
Copy link
Member

I tried restarting the Jenkins job but clicking didn't do anything and clicking Retry in the old UI just gives me java.io.IOException: github-ci/coreos/coreos-assembler/PR-1749 is not buildable

@cgwalters
Copy link
Member

@dustymabe try a force push?

@dustymabe dustymabe force-pushed the dusty-kola-update-ssh-key branch from e0751e3 to dd642a3 Compare October 1, 2020 20:58
@dustymabe
Copy link
Member Author

@dustymabe try a force push?

done.. will need to re-add /lgtm.

@jlebon
Copy link
Member

jlebon commented Oct 1, 2020

/lgtm

Still investigating Jenkins weirdness. Can you leave this PR open and just open another one for now? It looks specific to this PR.

@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dustymabe, jlebon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dustymabe dustymabe mentioned this pull request Oct 1, 2020
Closed
@dustymabe
mantle: make kola use ecdsa SSH keys
8b170b3 
Upstream SSH has been claiming [1] for a few releases now that:

```
It is now possible to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.
```

In Fedora we switched recently [2] to disallow ssh-rsa so we need to
switch our tools to a different type of key.

[1] https://www.openssh.com/txt/release-8.3
[2] https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/b298a9e107b7e9699b36879eca031d1900ded1c4
@dustymabe dustymabe force-pushed the dusty-kola-update-ssh-key branch from dd642a3 to 8b170b3 Compare October 2, 2020 03:10
@openshift-ci-robot
Copy link

New changes are detected. LGTM label has been removed.

@dustymabe dustymabe added the lgtm label Oct 2, 2020
@openshift-merge-robot openshift-merge-robot merged commit 5c036d1 into coreos:master Oct 2, 2020
@lucab
Copy link
Contributor

lucab commented Oct 6, 2020

This breaks kols on AWS, with InvalidKey.Format: Key is not in valid OpenSSH public key format.

In particular, AWS only supports RSA keys (see docs):

  • Create an RSA key. Amazon EC2 does not accept DSA keys.
  • The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096.

This was referenced Oct 6, 2020
Closed
Merged
This was referenced Oct 6, 2020
Closed
Closed
dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this pull request Oct 6, 2020
@dustymabe
manifests: fedora-coreos-base: temporary support for RSA-SHA1 keys on…
bf1a546 
… f33

For F33 let's re-enable RSA-SHA1 keys for now so our kola tests will
work. The plan is to only re-enable this briefly while we wait for
an upstream feature [1] to be implemented. We had moved to an ecdsa
key [2] but AWS doesn't support non RSA keys [3] so we reverted it
for now in [4].

[1] golang/go#37278 (comment)
[2] coreos/coreos-assembler#1749
[3] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws
[4] coreos/coreos-assembler#1767
@dustymabe dustymabe mentioned this pull request Oct 6, 2020
Merged
dustymabe added a commit to coreos/fedora-coreos-config that referenced this pull request Oct 6, 2020
@dustymabe
manifests: fedora-coreos-base: temporary support for RSA-SHA1 keys on…
be947c2 
… f33

For F33 let's re-enable RSA-SHA1 keys for now so our kola tests will
work. The plan is to only re-enable this briefly while we wait for
an upstream feature [1] to be implemented. We had moved to an ecdsa
key [2] but AWS doesn't support non RSA keys [3] so we reverted it
for now in [4].

[1] golang/go#37278 (comment)
[2] coreos/coreos-assembler#1749
[3] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws
[4] coreos/coreos-assembler#1767
kelvinfan001 pushed a commit to kelvinfan001/fedora-coreos-config that referenced this pull request Dec 14, 2020
@dustymabe @kelvinfan001
manifests: fedora-coreos-base: temporary support for RSA-SHA1 keys on…
0706f6a 
… f33

For F33 let's re-enable RSA-SHA1 keys for now so our kola tests will
work. The plan is to only re-enable this briefly while we wait for
an upstream feature [1] to be implemented. We had moved to an ecdsa
key [2] but AWS doesn't support non RSA keys [3] so we reverted it
for now in [4].

[1] golang/go#37278 (comment)
[2] coreos/coreos-assembler#1749
[3] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws
[4] coreos/coreos-assembler#1767
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgwalters cgwalters cgwalters left review comments

@darkmuggle darkmuggle Awaiting requested review from darkmuggle

@mike-nguyen mike-nguyen Awaiting requested review from mike-nguyen

Assignees

@jlebon jlebon

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@dustymabe @travier @jlebon @cgwalters @openshift-ci-robot @lucab @openshift-merge-robot