[GNC-dev] Deprecating ssh-dss keys on code

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[GNC-dev] Deprecating ssh-dss keys on code

Derek Atkins-3
Hi,

As part of the upgrade to Fedora 29, OpenSSH disabled the ssh-dss key
type.  After a bunch of searching I was able to re-enable it, however it
looks like the key-type is going to be removed from OpenSSH in a future
release.  To that end, I encourage each commiter to refresh your SSH
public key on code to a more "modern" cryptosystem.

It is quite possible that you will need the help of Geert, John, or
myself to update the git config -- and even worse, while there used to
be an ssh command you could use to login and update your own ssh public
key, I believe that functionality was lost a few years ago with the LAST
update to code.

-derek

PS: A quick look at the set of developers with ssh-dss keys, and it
appears that I am the only active member that this applies to.  The set
of dss keys appear to be owned by: asayed, chris, dvherman, hampton,
jsled, linas, rolf, tomfray, wilddev, and myself.

PPS: It also looks like the "new user script" that I was using years ago
is no longer around...  Hmm..  Not sure what happened to it.
--
       Derek Atkins                 617-623-3745
       [hidden email]             www.ihtfp.com
       Computer and Internet Security Consultant
_______________________________________________
gnucash-devel mailing list
[hidden email]
https://lists.gnucash.org/mailman/listinfo/gnucash-devel
Reply | Threaded
Open this post in threaded view
|

Re: [GNC-dev] Deprecating ssh-dss keys on code

John Ralls-2


> On Feb 3, 2019, at 5:47 PM, Derek Atkins <[hidden email]> wrote:
>
> Hi,
>
> As part of the upgrade to Fedora 29, OpenSSH disabled the ssh-dss key
> type.  After a bunch of searching I was able to re-enable it, however it
> looks like the key-type is going to be removed from OpenSSH in a future
> release.  To that end, I encourage each commiter to refresh your SSH
> public key on code to a more "modern" cryptosystem.
>
> It is quite possible that you will need the help of Geert, John, or
> myself to update the git config -- and even worse, while there used to
> be an ssh command you could use to login and update your own ssh public
> key, I believe that functionality was lost a few years ago with the LAST
> update to code.
>
> -derek
>
> PS: A quick look at the set of developers with ssh-dss keys, and it
> appears that I am the only active member that this applies to.  The set
> of dss keys appear to be owned by: asayed, chris, dvherman, hampton,
> jsled, linas, rolf, tomfray, wilddev, and myself.
>
> PPS: It also looks like the "new user script" that I was using years ago
> is no longer around...  Hmm..  Not sure what happened to it.

Derek,

I think it makes more sense to remove the ids than to get new keys for any of those except you and maybe Linas. If any of them should wander back we can recreate the ids and generate new keys pretty quickly.

Even if the script hadn't been lost it's likely not compatible with gitorious.

Regards,
John Ralls
_______________________________________________
gnucash-devel mailing list
[hidden email]
https://lists.gnucash.org/mailman/listinfo/gnucash-devel
Reply | Threaded
Open this post in threaded view
|

Re: [GNC-dev] Deprecating ssh-dss keys on code

Derek Atkins-3
John Ralls <[hidden email]> writes:

>> of dss keys appear to be owned by: asayed, chris, dvherman, hampton,
>> jsled, linas, rolf, tomfray, wilddev, and myself.
>
> Derek,
>
> I think it makes more sense to remove the ids than to get new keys for
> any of those except you and maybe Linas. If any of them should wander
> back we can recreate the ids and generate new keys pretty quickly.

Well, I figured out how to re-enable ssh-dss for now.  I upgraded my own
keys, but if any of the above (ex-?) devs want to have access going
forward they will need to work with me to upgrade their keys.  I will
let the configuration modification lapse the next time that file gets
reset by an update.

> Even if the script hadn't been lost it's likely not compatible with gitorious.

Well, the script did all the user creation, email forwarding, etc.
Then, yes, the key would need to be added to the gitolite admin repo too.

> Regards,
> John Ralls

-derek

--
       Derek Atkins                 617-623-3745
       [hidden email]             www.ihtfp.com
       Computer and Internet Security Consultant
_______________________________________________
gnucash-devel mailing list
[hidden email]
https://lists.gnucash.org/mailman/listinfo/gnucash-devel
Reply | Threaded
Open this post in threaded view
|

Re: [GNC-dev] Deprecating ssh-dss keys on code

GnuCash - Dev mailing list
On 11/02/2019 21:32, Derek Atkins wrote:

> John Ralls <[hidden email]> writes:
>
>>> of dss keys appear to be owned by: asayed, chris, dvherman, hampton,
>>> jsled, linas, rolf, tomfray, wilddev, and myself.
>>
>> Derek,
>>
>> I think it makes more sense to remove the ids than to get new keys for
>> any of those except you and maybe Linas. If any of them should wander
>> back we can recreate the ids and generate new keys pretty quickly.
>
> Well, I figured out how to re-enable ssh-dss for now.  I upgraded my own
> keys, but if any of the above (ex-?) devs want to have access going
> forward they will need to work with me to upgrade their keys.  I will
> let the configuration modification lapse the next time that file gets
> reset by an update.
>
>> Even if the script hadn't been lost it's likely not compatible with gitorious.
>
> Well, the script did all the user creation, email forwarding, etc.
> Then, yes, the key would need to be added to the gitolite admin repo too.

Well, that was a fascinating insight into trust.

Good thing the bad people don't read lists like this :)

Motto: keep some people you trust in your trust model.

--
Wm

_______________________________________________
gnucash-devel mailing list
[hidden email]
https://lists.gnucash.org/mailman/listinfo/gnucash-devel