New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
console/sshd: test_cryptographic_policies: ensure known host keys don't get dropped #18735
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you also test with openSUSE and an old SP? say 15-SP5?
Since OpenSSH 8.5 [0], UpdateHostKeys is enabled by default on the ssh client configuration. Calling the ssh client with -o HostKeyAlgorithms=<single_algorithm> would then drop the other, now "foreign" algorithms from ~/.ssh/known_hosts, making the subsequent HostKeyAlgorithms tests fail. This commit fixes that by adding -o UpdateHostKeys=no on the test command, so that the ssh client will not try to change the known_hosts file anymore. [0] https://www.openssh.com/txt/release-8.5 Signed-off-by: Eugenio Paolantonio <eugenio.paolantonio@suse.com>
d4e3456
to
86e2a00
Compare
v2: shortened the commit summary @foursixnine Validation run against SP5-QR: https://openqa.suse.de/tests/13606045 for openSUSE you mean Tumbleweed? If I understand correctly that part is not tested at all in TW. |
Is this enough? Is this also backwards compatible? Let's say 12-SP5?
here an example: https://openqa.opensuse.org/tests/3968432#step/sshd/1 |
12-SP5 (and SP4) ship 7.2p2 so it should be covered there as well. Can I test that against SLE-12-SP5 somehow from the internal openQA instance? I'm getting lost through all the groups 😅
Thanks. I don't have enough privileges to do that on o3. Could you or someone else please try it against TW using this repo?
(it's exactly the same change here but with the Thanks! |
Ok, I'm running 2 more VRs: |
Thanks a lot @jlausuch |
Here are the two with the correct repos: 1 job has been created:
|
@g7 |
Since OpenSSH 8.5 [0], UpdateHostKeys is enabled by default on the ssh client configuration.
Calling the ssh client with -o HostKeyAlgorithms=<single_algorithm> would then drop the other, now "foreign" algorithms from ~/.ssh/known_hosts, making the subsequent HostKeyAlgorithms tests fail.
This commit fixes that by adding -o UpdateHostKeys=no on the test command, so that the ssh client will not try to change the known_hosts file anymore.
UpdateHostKeys
is available since OpenSSH 6.8 [1] so every SLE-15 release should be covered, and SLE-12-SP5 as well.[0] https://www.openssh.com/txt/release-8.5
[1] openssh/openssh-portable@8d4f872