Introduce SSH cert support #867
Conversation
|
Depends on: theforeman/smart_proxy_remote_execution_ssh#126 |
adamlazik1
force-pushed
the
ssh-cert-support
branch
5 times, most recently
from
702e256 to
18db7e9
Compare
|
This is now ready for review. |
manifests/plugin/ansible.pp
Outdated
| } | ||
| $known_hosts_file_option = $foreman_proxy::plugin::remote_execution::script::ssh_host_ca_public_key ? { | ||
| undef => '', | ||
| default => "-o UserKnownHostsFile=${foreman_proxy::plugin::remote_execution::script::ssh_identity_dir}/known_hosts -o UserKnownHostsFile=${foreman_proxy::plugin::remote_execution::script::ssh_ca_known_hosts_file}", |
There was a problem hiding this comment.
Same issue as in remote execution. If we have host CA cert available, should we enforce StrictHostKeyChecking?
|
/packit build |
|
@adamlazik1 could you rebase this please on latest master, so that Packit starts working? |
|
No config file for packit (e.g. For more info, please check out the documentation or contact the Packit team. You can also use our CLI command |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
18db7e9 to
3759635
Compare
|
/packit build |
adamlazik1
force-pushed
the
ssh-cert-support
branch
2 times, most recently
from
f6c78c1 to
5e673ed
Compare
|
Updated ansible ssh args to enforce strict host key checking if host CA is provided. |
|
/packit build |
|
Account lhellebr has no write access nor is author of PR! |
|
/packit build |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
5e673ed to
3bdd6b6
Compare
|
Switching back to draft since the feature got postponed to 3.16 |
| # $ssh_identity_file:: Provide an alternative name for the SSH keys | ||
| # | ||
| # $ssh_keygen:: Location of the ssh-keygen binary | ||
| # $ssh_user_ca_public_key_file:: Public key file for the SSH CA certificate |
There was a problem hiding this comment.
Should we unify with the host CA key behavior and pass the public key contents instead of a path? I would solve issues with permissions.
There was a problem hiding this comment.
From security POV, it should be fine since the CA key is public. But how long is it? How long will it eventually be? Maybe the shell won't like a line that long. I think this kind of data shouldn't be passed in the command line. OTOH, if it's consistent with something we already have, it may be the least confusing.
The permission issues themselves can be solved by documentation + help text.
There was a problem hiding this comment.
I see, thanks for your input. You have a good point with possible future length, so I will probably leave it as it is.
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
3bdd6b6 to
a9906b3
Compare
|
/packit build |
|
Account lhellebr has no write access nor is author of PR! |
|
/packit build |
1 similar comment
|
/packit build |
|
Account adamruzicka has no write access nor is author of PR! |
|
/packit build |
5 participants
No description provided.