review.opendev.org SSH key change?

Jeremy Stanley fungi at yuggoth.org
Sat Aug 1 14:09:53 UTC 2020


On 2020-08-01 15:44:21 +0200 (+0200), Dr. Jens Harbott wrote:
[...]
> The SSHFP records document the keys for the SSH daemon listening on
> port 22 used for administrative access to the server, not the keys
> used by gerrit. AFAICT there is no way to specify keys for different
> ports in DNS, so when accessing gerrit via ssh, you will have to
> disable DNS verification in order to get rid of this warning. For
> openssh this would mean to set VerifyHostKeyDNS=no (which is also the
> default, so likely you must have overridden this somewhere), but I do
> get a similar error to yours if I set the option to "yes".
[...]

This is going to be challenging to work around, I think.

The cleanest solution is probably going to be separating the
review.opendev.org service name from the system's FQDN in DNS. This
way we could avoid publishing SSHFP RRs for the service name (or
better still, publish different SSHFP RRs), but that means we'll
need to separate out the ACME glue for DNS based X.509 cert
renewals. That would likely not be too hard if we can just stop
putting review01.opendev.org as one of the subject altnames.

An alternative would be to sync the Gerrit mina-sshd API and system
OpenSSH host keys, though that could present a degradation of
security for the base system (maybe effectively not one we care
about though?).

Another alternative would be to just drop the SSHFP RRs for the
Gerrit server, though that makes it inconsistent from the rest of
our servers if we do.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.opendev.org/pipermail/service-discuss/attachments/20200801/afe6b5c1/attachment.sig>


More information about the service-discuss mailing list