On Wed, Jul 03, 2024 at 07:01:05AM GMT, Peter Boy wrote: > > > > Am 02.07.2024 um 23:50 schrieb Kevin Fenzi <ke...@scrye.com>: > > > > On Tue, Jul 02, 2024 at 02:21:40PM GMT, Chris Adams wrote: > >> Once upon a time, Kevin Fenzi <ke...@scrye.com> said: > >>> Please see https://fedoraproject.org/wiki/Infrastructure/fedorapeople.org > >>> For more information, including information on adding our SSH CA or > >>> using dnssec / sshfp to verify the ssh host key of the new host. > >> > >> AFAIK the default Fedora setup with systemd-resolved does not support > >> DNSSEC for ssh using SSHFP records, and also the default SSH config > >> doesn't have VerifyHostKeyDNS enabled (so even if ssh could get the > >> record, with DNSSEC, it wouldn't use it). > > > > Yep, you need to enable dnssec in systemd-resolved (and have a > > nameserver that supports it) and set VerifyHostKeyDNS=yes in ssh_config. > > > > For that reason, I would say just adding the fedoraproject CA to > > known_hosts is much easier. (And also works for other fedoraproject.org > > hosts). > > > Maybe we need a more extensive documentation for this? Something like:
Docs are always good. Note that the audience for these is fedora contributors that have access to fedorapeople.org, not all fedora users. > 1. minimal action > - What do you achieve (just use the functionality as you did before) > - Deal with the message "… authenticity of host … can't be established.“ > > 2. Use optional functionality > - SSH CA > —- What do you achieve > —- How to configure > - dnssec > —- What do you achieve > —- How to configure Well, I think probibly we should just tell folks to add the CA to their known_hosts and then perhaps as a aside mention sshfp records and such. Thats much harder to setup right. > We could do that by creating a Quick Doc article or by adding a section to > the current Wiki page. The wiki page could always use improvement... I guess at some point ideally we would move docs like this off the wiki and under docs.fedoraproject.org somewhere ( under the infra space seems not fully right, but I guess it could be there if nothing else comes to mind ).
signature.asc
Description: PGP signature
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
