yahoo-eng-team team mailing list archive

[Sylvain Bauza <1962726@xxxxxxxxxxxxxxxxxx>]

We discussed this during the previous Nova meeting and we agreed on the
fact this is a correct issue, but we need to deprecate the generation
API (and continue to accept to import the public keys).

As this means a new API microversion, we need a spec for it so we'll
discuss this during the next PTG.

Closing the bug.

** Changed in: nova
   Importance: Undecided => Wishlist

** Changed in: nova
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1962726

Title:
  ssh-rsa key is no longer allowed by recent openssh

Status in OpenStack Compute (nova):
  Opinion

Bug description:
  Description
  ===========
  Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa.

  However ssh-rsa is no longer supported by default since openssh 8.8

  https://www.openssh.com/txt/release-8.8

  ```
  This release disables RSA signatures using the SHA-1 hash algorithm
  by default. This change has been made as the SHA-1 hash algorithm is
  cryptographically broken, and it is possible to create chosen-prefix
  hash collisions for <USD$50K [1]
  ```

  Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works.
  Fedora disabled SHA1/ssh-rsa by default a while ago.

  It's be required to support other formats like edcsa which are
  generally recommended.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1962726/+subscriptions