This patch addresses the need to improve the SSH security of Ganeti by allowing different types and sizes of SSH keys - notably DSA, RSA, and ECDSA.
Additional configuration parameters are added, and in a slight but practical departure from conventions so far, after initialization they can only be changed by running a renew-crypto operation and not a cluster modify. Hrvoje Ribicic (15): Add the SSH key options Change SSH key types to a proper Haskell sum type Add the SSH key type and length to the config, and set them Show info about new params in gnt-cluster info Add querying of ssh-related config values Use the SSH key parameters when generating keys Allow SSH key property changes Handle SSH key changes in upgrades and downgrades Fail early for invalid key type and size combinations Fix typo QA: Downgrade the cluster key type in 2.16 Remove default limit on diffs in cfgupgrade tests QA: Extend AssertCommand to allow not forwarding the agent QA: Add ssh-key-type and -bits tests Add entries describing new gnt-cluster params to manpage lib/backend.py | 87 +++++++++++++--------- lib/bootstrap.py | 27 ++++--- lib/cli_opts.py | 13 ++++ lib/client/gnt_cluster.py | 39 +++++++--- lib/client/gnt_node.py | 11 ++- lib/cmdlib/cluster/__init__.py | 49 ++++++++---- lib/cmdlib/cluster/verify.py | 3 +- lib/ht.py | 1 + lib/objects.py | 8 ++ lib/rpc_defs.py | 5 +- lib/server/noded.py | 9 ++- lib/ssh.py | 64 +++++++++++++--- lib/tools/cfgupgrade.py | 50 ++++++++++++- lib/tools/common.py | 6 +- lib/tools/prepare_node_join.py | 9 ++- lib/tools/ssh_update.py | 13 +++- man/gnt-cluster.rst | 19 +++++ qa/qa_cluster.py | 65 +++++++++++++++- qa/qa_utils.py | 28 +++++-- src/Ganeti/Constants.hs | 21 +++++- src/Ganeti/Objects.hs | 2 + src/Ganeti/OpCodes.hs | 4 +- src/Ganeti/OpParams.hs | 20 ++++- src/Ganeti/Query/Server.hs | 8 +- src/Ganeti/Rpc.hs | 12 +-- src/Ganeti/Types.hs | 11 +++ test/hs/Test/Ganeti/Objects.hs | 7 ++ test/hs/Test/Ganeti/OpCodes.hs | 9 ++- test/py/cfgupgrade_unittest.py | 6 ++ test/py/ganeti.backend_unittest.py | 20 +++-- test/py/ganeti.client.gnt_cluster_unittest.py | 3 +- test/py/ganeti.ssh_unittest.py | 61 ++++++++++++++- test/py/ganeti.tools.prepare_node_join_unittest.py | 6 +- 33 files changed, 562 insertions(+), 134 deletions(-) -- 2.6.0.rc2.230.g3dd15c0
