07d908dfc5
For newer ssh (in fedora) we need to have certs that are not using sha-1. So, we need to regenerate the certs signed by our CA with sha256. While we are at it, enable the ed25519 host keys as rsa keys are increasingly in disfavor. So, old ssh will use the old rsa host certs that are sha1 for now, but new ssh will use the sha256 signed ed25519 certs. If everything works fine for a while, we can resign the rsa host keys also and totally get rid of the sha1 certs. Since both host keys are signed by our CA, they should still be just as trusted as before. If you are asked to approve a new host key for something, make sure you have our CA in your known_hosts file: https://admin.fedoraproject.org/ssh_known_hosts Signed-off-by: Kevin Fenzi <kevin@scrye.com> |
||
|---|---|---|
| .. | ||
| handlers | ||
| tasks | ||
| templates | ||
| README | ||
This role is the base setup for all our machines. If there's something that shouldn't be run on every single machine, it should be in another role.