GitLab will be down for maintenance this Sunday 13th June, from approx 7-11am UTC. This is for a PostgreSQL migration. See the tracker issue for more informations.

Commit 0887905b authored by Peter Hutterer's avatar Peter Hutterer
Browse files

bootstrap: switch to using ed25519 keys for ssh



RSA can require special configuration (PubkeyAcceptedTypes needed on F33), DSA
is compromised, EDDSA is apparently owned by the NSA... well, let's go with
ED25519 instead.
Signed-off-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
parent d21d8ac6
......@@ -11,7 +11,7 @@ pushd /app
curl -L $CLOUD_IMAGE_URL -o /app/image.raw.xz
# create a common ssh key that will be used to generate the final VM images
ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ''
ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ''
# to start the cloud-init ready image we need to provide it some input:
# https://blog.christophersmart.com/2016/06/17/booting-fedora-24-cloud-image-with-kvm/
......@@ -44,7 +44,7 @@ timezone: UTC
# Add any ssh public keys
ssh_authorized_keys:
- $(cat /root/.ssh/id_rsa.pub)
- $(cat /root/.ssh/id_ed25519.pub)
bootcmd:
- [ sh, -c, echo "=========bootcmd=========" ]
......
......@@ -39,7 +39,6 @@ do_start() {
Host vm
HostName localhost
Port 5555
PubkeyAcceptedKeyTypes ssh-rsa
PreferredAuthentications publickey
EOF
fi
......
......@@ -436,10 +436,10 @@
- echo $FDO_DISTRIBUTION_PACKAGES | tr ' ' '\n' | sed -e 's/^/ /' >> mkosi.default
# create a new ssh key
- ssh-keygen -t rsa -f /root/.ssh/id_rsa_target -N ''
- ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519_target -N ''
- mkdir -p mkosi.extra/root/.ssh
- chmod 700 mkosi.extra/root/.ssh
- cp /root/.ssh/id_rsa_target.pub mkosi.extra/root/.ssh/authorized_keys
- cp /root/.ssh/id_ed25519_target.pub mkosi.extra/root/.ssh/authorized_keys
- chmod 600 mkosi.extra/root/.ssh/authorized_keys
# enable sshd on the target
- mkdir -p mkosi.extra/etc/systemd/system/multi-user.target.wants
......@@ -506,8 +506,8 @@
- mv vmlinuz* initr* $buildmnt/app/
- mkdir $buildmnt/root/.ssh
- chmod 700 $buildmnt/root/.ssh
- cp /root/.ssh/id_rsa_target $buildmnt/root/.ssh/id_rsa
- cp /root/.ssh/id_rsa_target.pub $buildmnt/root/.ssh/id_rsa.pub
- cp /root/.ssh/id_ed25519_target $buildmnt/root/.ssh/id_ed25519
- cp /root/.ssh/id_ed25519_target.pub $buildmnt/root/.ssh/id_ed25519.pub
# umount the container, not required, but, heh
- buildah unmount $buildcntr
......
......@@ -399,10 +399,10 @@
- echo $FDO_DISTRIBUTION_PACKAGES | tr ' ' '\n' | sed -e 's/^/ /' >> mkosi.default
# create a new ssh key
- ssh-keygen -t rsa -f /root/.ssh/id_rsa_target -N ''
- ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519_target -N ''
- mkdir -p mkosi.extra/root/.ssh
- chmod 700 mkosi.extra/root/.ssh
- cp /root/.ssh/id_rsa_target.pub mkosi.extra/root/.ssh/authorized_keys
- cp /root/.ssh/id_ed25519_target.pub mkosi.extra/root/.ssh/authorized_keys
- chmod 600 mkosi.extra/root/.ssh/authorized_keys
# enable sshd on the target
- mkdir -p mkosi.extra/etc/systemd/system/multi-user.target.wants
......@@ -466,8 +466,8 @@
- mv vmlinuz* initr* $buildmnt/app/
- mkdir $buildmnt/root/.ssh
- chmod 700 $buildmnt/root/.ssh
- cp /root/.ssh/id_rsa_target $buildmnt/root/.ssh/id_rsa
- cp /root/.ssh/id_rsa_target.pub $buildmnt/root/.ssh/id_rsa.pub
- cp /root/.ssh/id_ed25519_target $buildmnt/root/.ssh/id_ed25519
- cp /root/.ssh/id_ed25519_target.pub $buildmnt/root/.ssh/id_ed25519.pub
# umount the container, not required, but, heh
- buildah unmount $buildcntr
......
......@@ -390,10 +390,10 @@
- echo $FDO_DISTRIBUTION_PACKAGES | tr ' ' '\n' | sed -e 's/^/ /' >> mkosi.default
# create a new ssh key
- ssh-keygen -t rsa -f /root/.ssh/id_rsa_target -N ''
- ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519_target -N ''
- mkdir -p mkosi.extra/root/.ssh
- chmod 700 mkosi.extra/root/.ssh
- cp /root/.ssh/id_rsa_target.pub mkosi.extra/root/.ssh/authorized_keys
- cp /root/.ssh/id_ed25519_target.pub mkosi.extra/root/.ssh/authorized_keys
- chmod 600 mkosi.extra/root/.ssh/authorized_keys
# enable sshd on the target
- mkdir -p mkosi.extra/etc/systemd/system/multi-user.target.wants
......@@ -457,8 +457,8 @@
- mv vmlinuz* initr* $buildmnt/app/
- mkdir $buildmnt/root/.ssh
- chmod 700 $buildmnt/root/.ssh
- cp /root/.ssh/id_rsa_target $buildmnt/root/.ssh/id_rsa
- cp /root/.ssh/id_rsa_target.pub $buildmnt/root/.ssh/id_rsa.pub
- cp /root/.ssh/id_ed25519_target $buildmnt/root/.ssh/id_ed25519
- cp /root/.ssh/id_ed25519_target.pub $buildmnt/root/.ssh/id_ed25519.pub
# umount the container, not required, but, heh
- buildah unmount $buildcntr
......
......@@ -440,10 +440,10 @@
- echo $FDO_DISTRIBUTION_PACKAGES | tr ' ' '\n' | sed -e 's/^/ /' >> mkosi.default
# create a new ssh key
- ssh-keygen -t rsa -f /root/.ssh/id_rsa_target -N ''
- ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519_target -N ''
- mkdir -p mkosi.extra/root/.ssh
- chmod 700 mkosi.extra/root/.ssh
- cp /root/.ssh/id_rsa_target.pub mkosi.extra/root/.ssh/authorized_keys
- cp /root/.ssh/id_ed25519_target.pub mkosi.extra/root/.ssh/authorized_keys
- chmod 600 mkosi.extra/root/.ssh/authorized_keys
# enable sshd on the target
- mkdir -p mkosi.extra/etc/systemd/system/multi-user.target.wants
......@@ -509,8 +509,8 @@
- mv vmlinuz* initr* $buildmnt/app/
- mkdir $buildmnt/root/.ssh
- chmod 700 $buildmnt/root/.ssh
- cp /root/.ssh/id_rsa_target $buildmnt/root/.ssh/id_rsa
- cp /root/.ssh/id_rsa_target.pub $buildmnt/root/.ssh/id_rsa.pub
- cp /root/.ssh/id_ed25519_target $buildmnt/root/.ssh/id_ed25519
- cp /root/.ssh/id_ed25519_target.pub $buildmnt/root/.ssh/id_ed25519.pub
# umount the container, not required, but, heh
- buildah unmount $buildcntr
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment