Uploaded image for project: 'RDO Project'
  1. RDO Project
  2. RDO-119

review.rdoproject.org now uses ECDSA key fingerprint

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • RDO Caracal
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      During the last DLRN Trunk bootstrap (i.e.: centos9-antelope), we hit issue of worker not being able to submit FTBFS patches to RDO Gerrit instance.
      The reason is that the SSH client (i.e openssh-clients) provided in COS, is sourcing the crypto policies from "/etc/crypto-policies/back-ends/opensshserver.config" provided by crypto-policies-20221215 RPM from [1].
      Below the policy:

      $ less /etc/crypto-policies/back-ends/opensshserver.config
      CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'
      

      it's using ecdsa-sha2-nistp256 as the first preferred SSH key exchange algorithm (i.e -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,[...])

      That's why when we run the command below from a COS system:

      # ssh -t -p 29418 review.rdoproject.org
      The authenticity of host '[review.rdoproject.org]:29418 ([38.102.83.25]:29418)' can't be established.
      ECDSA key fingerprint is SHA256:lNxdGov9Kol+apgEFQlFvr8uIYKyvG7rK/k/zvEwTlM.
      Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
      Warning: Permanently added '[review.rdoproject.org]:29418,[38.102.83.25]:29418' (ECDSA) to the list of known hosts.
      

      we got the ECDSA key fingerprint

      # less ~/.ssh/known_hosts
      [review.rdoproject.org]:29418,[38.102.83.25]:29418 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLOLaO81l9MzOYM85DVm7RzDQp3GIPuf86F4gUbOQUYR8/1fGjZ6+5wrz3ZqIwxe4X5D43ZwRZD/DNFmvQPtYLg=
      

      So, we need to edit this line in ansible-role-dlrn [2] with the ECDA key fingerprint in order to be able to send gerrit patches w/o being asked to accept the first time.

      [1] https://gitlab.com/redhat/centos-stream/rpms/crypto-policies
      [2] https://github.com/rdo-infra/ansible-role-dlrn/blob/19207bb188da9f7a97728fd524487b89e9f2ab95/tasks/worker.yml#L457

              jcapitao1@redhat.com Joel Capitao
              jcapitao1@redhat.com Joel Capitao
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: