Re: Issue 236 in ganeti: Use RSA keys instead of DSA
Comment #12 on issue 236 by zen2dr...@gmail.com: Use RSA keys instead of DSA https://code.google.com/p/ganeti/issues/detail?id=236 NOTICE: DSA is deprecated with recent openssh version > 7.0. Workaround to make openssh accept DSA key is: Write in .ssh/config or /etc/ssh/ssh_config: Host IP_node1 IP_node2 ... (or FQDN list) PubkeyAcceptedKeyTypes +ssh-dss -- You received this message because this project is configured to send all issue notifications to this address. You may adjust your notification preferences at: https://code.google.com/hosting/settings
Re: Issue 236 in ganeti: Use RSA keys instead of DSA
Updates: Status: Fixed Comment #11 on issue 236 by r...@google.com: Use RSA keys instead of DSA https://code.google.com/p/ganeti/issues/detail?id=236 This has been implemented in 2.16, in far too many commits to list here. The options available are ecdsa, rsa, and dsa, and there is an option for the size of the key as well, aware of the various per-key restrictions. Due to the numerous checks we perform, the "insert your own key type" option was not implemented. The code is easily extendable, and new types can be added without issues. -- You received this message because this project is configured to send all issue notifications to this address. You may adjust your notification preferences at: https://code.google.com/hosting/settings
Re: Issue 236 in ganeti: Use RSA keys instead of DSA
Updates: Owner: r...@google.com Comment #10 on issue 236 by hel...@google.com: Use RSA keys instead of DSA https://code.google.com/p/ganeti/issues/detail?id=236 (No comment was entered for this change.) -- You received this message because this project is configured to send all issue notifications to this address. You may adjust your notification preferences at: https://code.google.com/hosting/settings
Re: Issue 236 in ganeti: Use RSA keys instead of DSA
Updates: Labels: Priority-Critical Milestone-Release2.16 Comment #9 on issue 236 by pud...@google.com: Use RSA keys instead of DSA https://code.google.com/p/ganeti/issues/detail?id=236 (No comment was entered for this change.) -- You received this message because this project is configured to send all issue notifications to this address. You may adjust your notification preferences at: https://code.google.com/hosting/settings
Re: Issue 236 in ganeti: Use RSA keys instead of DSA
Comment #8 on issue 236 by mi...@leap.se: Use RSA keys instead of DSA https://code.google.com/p/ganeti/issues/detail?id=236 3. Have a cluster level parameter that tells ganeti to use rsa or dsa (and can only have those two values) If you are going to do the work to resolve this, then you should take care to make this flexible for the future. Having hard-coded values for crypto primitives makes it very difficult to maneuver out from under those that become problematic. Crypto primitive flexibility is critical - if an exploit is found for something that has been hard-coded, and there is no easy way for a user of the software to configure something different, then the user has to wait an indeterminate amount of time for the code to be updated, which is always a slower process than changing configuration values. As a further reason for doing this: many people are moving away even from RSA keys now, for example towards ed25519 keys. If you are doing the work to support RSA keys, then do the work to support *any* key type in an easy way! -- You received this message because this project is configured to send all issue notifications to this address. You may adjust your notification preferences at: https://code.google.com/hosting/settings
Re: Issue 236 in ganeti: Use RSA keys instead of DSA
Updates: Owner: hel...@google.com Comment #7 on issue 236 by aeh...@google.com: Use RSA keys instead of DSA https://code.google.com/p/ganeti/issues/detail?id=236 (No comment was entered for this change.) -- You received this message because this project is configured to send all issue notifications to this address. You may adjust your notification preferences at: https://code.google.com/hosting/settings
Re: Issue 236 in ganeti: Use RSA keys instead of DSA
Comment #6 on issue 236 by st...@pressers.name: Use RSA keys instead of DSA http://code.google.com/p/ganeti/issues/detail?id=236 It looks like 1 and 2 are already done - see constants.py:688 or so. I haven't looked at what work might already be done on 3 - thats my next step. I'm going to split at least one of my issues off into a new issue because it is distinct from the hardcoded keys discussed here.
Re: Issue 236 in ganeti: Use RSA keys instead of DSA
Comment #5 on issue 236 by ultrot...@google.com: Use RSA keys instead of DSA http://code.google.com/p/ganeti/issues/detail?id=236 Sure, we'd be happy if you wanted to work on this. I believe it can be done in the following way: 1. extract the hardcoded DSA to a constant named "dsa" (nothing changes but now it's a constant) 2. Have both a "dsa" and an "rsa" constant 3. Have a cluster level parameter that tells ganeti to use rsa or dsa (and can only have those two values) 4. optionally, add the value "auto" and search in order for which key already exist between those Thanks! Guido
Re: Issue 236 in ganeti: Use RSA keys instead of DSA
Comment #4 on issue 236 by st...@pressers.name: Use RSA keys instead of DSA http://code.google.com/p/ganeti/issues/detail?id=236 This is still an issue in 2.6.2. I spun up a new cluster this morning and had to symlink keys into existence. There needs to be a more robust way of finding keys. I am willing to work on this sf someone points me in the correct direction/gives me the go-ahead to write a key-finder. For the record, the errors I get are: # gnt-cluster init ... File "/usr/local/sbin/gnt-cluster", line 21, in sys.exit(main.Main()) File "/usr/lib/python2.6/site-packages/ganeti/client/gnt_cluster.py", line 1600, in Main aliases=aliases) File "/usr/lib/python2.6/site-packages/ganeti/cli.py", line 2241, in GenericMain result = func(options, args) File "/usr/lib/python2.6/site-packages/ganeti/rpc.py", line 131, in wrapper return fn(*args, **kwargs) File "/usr/lib/python2.6/site-packages/ganeti/client/gnt_cluster.py", line 226, in InitCluster disk_state=disk_state, File "/usr/lib/python2.6/site-packages/ganeti/bootstrap.py", line 473, in InitCluster sshline = utils.ReadFile(constants.SSH_HOST_RSA_PUB) File "/usr/lib/python2.6/site-packages/ganeti/utils/io.py", line 105, in ReadFile f = open(file_name, "r") IOError: [Errno 2] No such file or directory: '/etc/ssh/ssh_host_rsa_key.pub' and # gnt-node add node002 -- WARNING -- Performing this operation is going to replace the ssh daemon keypair on the target machine (node002.bosca.acm.jhu.edu) with the ones of the current one and grant full intra-cluster ssh root access to/from it 2012-12-25 14:18:17,520: MainThread Can't load private key /root/.ssh/id_dsa: [Errno 2] No such file or directory: '/root/.ssh/id_dsa' Failure: command execution error: Command '/usr/local/lib/ganeti/tools/setup-ssh node002.bosca.acm.jhu.edu' failed with exit code 1; output ''
Re: Issue 236 in ganeti: Use RSA keys instead of DSA
Comment #2 on issue 236 by mi...@riseup.net: Use RSA keys instead of DSA http://code.google.com/p/ganeti/issues/detail?id=236 Ugh, that seems bad to have those hard-coded, it doesn't leave much flexibility for changing things.
Re: Issue 236 in ganeti: Use RSA keys instead of DSA
Comment #1 on issue 236 by ius...@google.com: Use RSA keys instead of DSA http://code.google.com/p/ganeti/issues/detail?id=236 You can't really, as the DSA dependency is spread around the code: $ git grep -i dsa lib/bootstrap.py: This generates a dsa keypair for root, adds the pub key to the lib/bootstrap.py: result = utils.RunCmd(["ssh-keygen", "-t", "dsa", lib/constants.py:SSH_HOST_DSA_PRIV = SSH_CONFIG_DIR + "/ssh_host_dsa_key" lib/constants.py:SSH_HOST_DSA_PUB = SSH_HOST_DSA_PRIV + ".pub" lib/ssh.py: keys used are DSA keys, so this function will return: lib/ssh.py: (~user/.ssh/id_dsa, ~user/.ssh/id_dsa.pub, lib/ssh.py: for base in ["id_dsa", "id_dsa.pub", "authorized_keys"]] You can update all those, of course, if you want to.