On Thu, Dec 8, 2022, at 9:51 AM, Daniel P. Berrangé wrote:
> I think the "Upgrade/compatibility impact" section ought to call out the
> possible risk with config mgmt tools like puppet/ansible, that might be
> managing SSH host keys and their permissions/ownership
So that was done with:
>
On Thu, Dec 8, 2022 at 3:51 PM Daniel P. Berrangé
wrote:
> On Thu, Dec 08, 2022 at 03:41:32PM +0100, Dmitry Belyavskiy wrote:
> > Dear Daniel,
> > Thanks for your feedback!
> >
> > On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé
> > wrote:
> >
> > > On Wed, Dec 07, 2022 at 01:48:48PM +0100,
Once upon a time, Dmitry Belyavskiy said:
> Drafted here, to be published:
> https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
I guess the original idea was to reduce the setuid footprint (which is a
good goal). I though host-based auth was deprecated at this point
anyway - it's not
On Thu, Dec 08, 2022 at 03:41:32PM +0100, Dmitry Belyavskiy wrote:
> Dear Daniel,
> Thanks for your feedback!
>
> On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé
> wrote:
>
> > On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote:
> > > The problem we expect is that after
Dear Daniel,
Thanks for your feedback!
On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé
wrote:
> On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote:
> > The problem we expect is that after reverting the patch we can lose the
> > remote access to the hosts because sshd will
On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote:
> The problem we expect is that after reverting the patch we can lose the
> remote access to the hosts because sshd will reject starting because of
> group reading permissions. This should be covered by the upgrade scriptlet,
>
Dear colleagues,
Many years ago we implemented the patch
https://src.fedoraproject.org/rpms/openssh/c/1ddd0ee5
Unfortunately, as it was 11 years ago, we can't find the exact explanation
where the requirement came from. We think that we intended to increase
security, but it probably caused more