ralphbean
commented
10 years ago Looks good to me. I'll wait for another reviewer to scope it out though.
Closed lbazan closed 10 years ago
ralphbean
commented
10 years ago Looks good to me. I'll wait for another reviewer to scope it out though.
relrod
commented
10 years ago It looks like our rhel 6 boxes don't have ecdsa enabled yet:
[codeblock@lockbox01 ~]$ ls /etc/ssh | grep -c ssh_host_ecdsa
0So I am not sure how useful this'll be yet.
Also, I think we are going to need to add more suffixes for this to become useful. For example, on Fedora, my default/host pubkey has ecdsa-sha2-nistp256:
ricky@t520 ~$ cat /etc/ssh/ssh_host_ecdsa_key.pub | cut -d' ' -f 1
ecdsa-sha2-nistp256which I think wouldn't match with this patch. We could match /ecdsa-.+ /, but we then allow keys which aren't enabled in any default RHEL openssh install. I guess we should find a list of all ecdsa-* allowed by current RHEL6 and go from there with both updating this patch and enabling its use in FI.
laxathom
commented
10 years ago I agree that this is not the best way to filter this. We can improve this filter by making it configurable into /etc/fas.cfg, so depending on the running host, you can better manage what's supported. Note that FAS only stores the key string, no string processing.
laxathom
commented
10 years ago ping!
laxathom
commented
10 years ago @lbazan Do you still want to make something out based on our proposal?
lbazan
commented
10 years ago @laxathom +1 put filter in fas.cfg ssh_keysupport = ['rsa', 'ssh-rsa', 'ecdsa', 'ecdsa-sha2']
and them add in validator.py
I think that's okay?
laxathom
commented
10 years ago +1. We should also update the help balloon to let people aware of what is supported and how.
laxathom
commented
10 years ago Closing PR as duplicate of #75. Actually #75 is the duplicate, however, as most of the job has been done in 75 we will keep that one.
https://fedorahosted.org/fas/ticket/172