Changing the ssh key gen algorithm for FIPS machines #136
Conversation
Updated fips check pkg/metadata/vmmd/fips.go
There was a problem hiding this comment.
Hi @junaid18183 👋!
Thanks for this PR!
Funnily enough, I had never even heard about FIPS before, so I had to google it 😂
This PR is okay as it unblocks an use-case, but I'd like to be more explicit about this
in the future, so hence it makes sense to let the user specify in the configuration file what
key algorithm to use, instead of relying on autodetection, which might be brittle.
This PR is accepted, but please move the function to pkg/util and add the TODO in the code :)
pkg/metadata/vmmd/fips.go
Outdated
| // FIPSEnabled returns true if running in FIPS mode. | ||
| // currently it just checks the system wide /etc/system-fips file present or not. | ||
| // We can improve it later. | ||
| func FIPSEnabled() bool { |
There was a problem hiding this comment.
Please move this to pkg/util, that seems like a better place for it.
| // Use ED25519 instead of RSA for performance (it's equally secure, but a lot faster to generate/authenticate) | ||
| _, err := util.ExecuteCommand("ssh-keygen", "-q", "-t", "ed25519", "-N", "", "-f", privKeyPath) | ||
| ssh_key_algorithm := "ed25519" |
There was a problem hiding this comment.
Please add a note here like this:
// TODO: In future versions, let the user specify what key algorithm to use through the API types
|
Thanks for the review. Have implemented the changes. |
Changing the ssh key gen algorithm for FIPS machines
Fixes the - #135