We discussed this during the previous Nova meeting and we agreed on the
fact this is a correct issue, but we need to deprecate the generation
API (and continue to accept to import the public keys).
As this means a new API microversion, we need a spec for it so we'll
discuss this during the next PTG.
Closing the bug.
** Changed in: nova
Importance: Undecided => Wishlist
** Changed in: nova
Status: New => Opinion
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1962726
Title:
ssh-rsa key is no longer allowed by recent openssh
Status in OpenStack Compute (nova):
Opinion
Bug description:
Description
===========
Currently create Key-pair API without actual key content returns the key
generated at server side which is formatted in ssh-rsa.
However ssh-rsa is no longer supported by default since openssh 8.8
https://www.openssh.com/txt/release-8.8
```
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
```
Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa
no longer works.
Fedora disabled SHA1/ssh-rsa by default a while ago.
It's be required to support other formats like edcsa which are
generally recommended.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1962726/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
