Hi Georg, Martin, On 02:14 Mon 30 Jan , Georg Faerber wrote: > Hi Apollon, > > On 17-01-30 01:34:38, Martin Weinelt wrote: > > ganeti heavily depends on SSH-DSS keypairs for operations between > > cluster nodes, with OpenSSH 7.0 said keys have been deprecated. > > > > Please add a remark that SSH-DSS needs to be reallowed if ganeti is > > supposed to work. > > > > In /etc/ssh/ssh_config > > Add PubkeyAcceptedKeyTypes +ssh-dss > > > > In /etc/ssh/sshd_config > > Add PubkeyAcceptedKeyTypes +ssh-dss
A workaround for this is to generate and distribute keys yourself and tell Ganeti not to modify the ssh setup instead (at gnt-cluster init time). Re-enabling the DSA keys (at least on new clusters) should really be avoided, there is a reason OpenSSH has dropped support by default :) > > Do you think it would be possible to cherry-pick the changes, [1] and > the following commits, some of them at least, which were made against > the 2.16 branch, into the Debian package? It would be great to have this > fixed for stretch, but I'm unsure if changing that much is acceptable > given the late point in the freeze. > > I didn't checked if these commits apply cleanly against the current > source, but maybe this could serve as a starting point. It should be possible to have this in Stretch. However, being a week away from the freeze complicates things a bit and it will take some time (also depending on the release team's workload). Cheers, Apollon
