-
Feature Request
-
Resolution: Unresolved
-
None
-
6.14.0
Description of problem:
[RFE] Include other types of keys like ecdsa and ed25519 apart from rsa in freeipa_register snippet of Red Hat Satellite 6
Version-Release number of selected component (if applicable):
6.14
Currently freeipa_register snippet only uses rsa key
<% elsif os_major > 7 %>
/usr/libexec/openssh/sshd-keygen rsa
<% end -%>
The request is to include other types of keys which would also generate sshfp records for all three keys.
So the section may look like
<% elsif os_major > 7 %>
/usr/libexec/openssh/sshd-keygen ed25519
/usr/libexec/openssh/sshd-keygen ecdsa
/usr/libexec/openssh/sshd-keygen rsa
<% end -%>
Any specific reason to copy all 3 types of keys ?
The reason to copy all three keys is so that we can automatically generate sshfp records for all (currently) supported key types
Business justification for this.
RSA-SHA1 is deprecated in OpenSSH 8.3 and will be disabled in a near future release. If we need to stay with RSA, we'd have to make sure to use RSA-SHA2 to generate the hostkey or move to ECDSA / ED25519 HostKeys altogether which would also enable us to provide shorter key lenghts with similar or in some cases even better security, so it's a kind of 'futureproofing' the infrastructure at hand.
Additionally, ECDSA (ecdsa-sha2-nistp256) has been implemented in OpenSSH 5.7 which was released roughly 13 years ago so most if not all current libraries should be able to support this algorithm. As a Fallback, the RSA Key will still be present and usable.
Some Sources that might be of interest:
OpenSSH 5.7 Release Notes
OpenSSH 6.5 Release Notes
OpenSSH 8.3 Release Notes
- external trackers