[Pkg-ganeti-devel] Bug#853129: ganeti: Ganeti depends on SSH-DSS public keys to work
Apollon Oikonomopoulos
apoikos at debian.org
Mon Jan 30 08:24:29 UTC 2017
Hi Georg, Martin,
On 02:14 Mon 30 Jan , Georg Faerber wrote:
> Hi Apollon,
>
> On 17-01-30 01:34:38, Martin Weinelt wrote:
> > ganeti heavily depends on SSH-DSS keypairs for operations between
> > cluster nodes, with OpenSSH 7.0 said keys have been deprecated.
> >
> > Please add a remark that SSH-DSS needs to be reallowed if ganeti is
> > supposed to work.
> >
> > In /etc/ssh/ssh_config
> > Add PubkeyAcceptedKeyTypes +ssh-dss
> >
> > In /etc/ssh/sshd_config
> > Add PubkeyAcceptedKeyTypes +ssh-dss
A workaround for this is to generate and distribute keys yourself and
tell Ganeti not to modify the ssh setup instead (at gnt-cluster init
time). Re-enabling the DSA keys (at least on new clusters) should really
be avoided, there is a reason OpenSSH has dropped support by default :)
>
> Do you think it would be possible to cherry-pick the changes, [1] and
> the following commits, some of them at least, which were made against
> the 2.16 branch, into the Debian package? It would be great to have this
> fixed for stretch, but I'm unsure if changing that much is acceptable
> given the late point in the freeze.
>
> I didn't checked if these commits apply cleanly against the current
> source, but maybe this could serve as a starting point.
It should be possible to have this in Stretch. However, being a week
away from the freeze complicates things a bit and it will take some time
(also depending on the release team's workload).
Cheers,
Apollon
More information about the Pkg-ganeti-devel
mailing list