From 07d908dfc551136680870eeb1281b183a29042c0 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 3 Nov 2020 15:11:16 -0800 Subject: [PATCH] basessh: enable ed25519 ssh host keys everywhere For newer ssh (in fedora) we need to have certs that are not using sha-1. So, we need to regenerate the certs signed by our CA with sha256. While we are at it, enable the ed25519 host keys as rsa keys are increasingly in disfavor. So, old ssh will use the old rsa host certs that are sha1 for now, but new ssh will use the sha256 signed ed25519 certs. If everything works fine for a while, we can resign the rsa host keys also and totally get rid of the sha1 certs. Since both host keys are signed by our CA, they should still be just as trusted as before. If you are asked to approve a new host key for something, make sure you have our CA in your known_hosts file: https://admin.fedoraproject.org/ssh_known_hosts Signed-off-by: Kevin Fenzi --- roles/basessh/templates/sshd_config | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/basessh/templates/sshd_config b/roles/basessh/templates/sshd_config index 510d54fe0e..32b2ea1349 100644 --- a/roles/basessh/templates/sshd_config +++ b/roles/basessh/templates/sshd_config @@ -13,14 +13,10 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@op {% endif %} HostKey /etc/ssh/ssh_host_rsa_key -{% if ansible_hostname == 'bastion02' %} HostKey /etc/ssh/ssh_host_ed25519_key -{% endif %} HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub -{% if ansible_hostname == "bastion02" %} HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub -{% endif %} SyslogFacility AUTHPRIV LogLevel VERBOSE