Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bootstrap: Set ECDSA as the default SSH key algorithm #2041

Merged
merged 2 commits into from
Nov 2, 2021
Merged

bootstrap: Set ECDSA as the default SSH key algorithm #2041

merged 2 commits into from
Nov 2, 2021

Conversation

stefanprodan
Copy link
Member

Motivation: RSA SHA-1 SSH keys are no longer accepted by GitHub https://github.blog/2021-09-01-improving-git-protocol-security-github/.

Given this we are switching the default from RSA to ECDSA for git, github and gitlab variants of flux bootstrap.

Fix: #2040

@stefanprodan
bootstrap: Set ECDSA as the default SSH key algorithm
88daceb 
Motivation: RSA SHA-1 SSH keys are no longer accepted by GitHub https://github.blog/2021-09-01-improving-git-protocol-security-github/.
Given this we are switching the default from RSA to ECDSA for `git`, `github` and `gitlab` variants of `flux bootstrap`.

Signed-off-by: Stefan Prodan <[email protected]>
@stefanprodan stefanprodan added the area/bootstrap Bootstrap related issues and pull requests label Nov 2, 2021
@stefanprodan stefanprodan requested a review from hiddeco November 2, 2021 14:23
@hiddeco
Copy link
Member

hiddeco commented Nov 2, 2021

NB: switching to the RSA-SHA2 alternative is not possible, as Go lacks support for this format.

@stefanprodan stefanprodan merged commit 3b609e9 into main Nov 2, 2021
@stefanprodan stefanprodan deleted the bootstrap-ecdsa-default branch November 2, 2021 15:15
@stefanprodan stefanprodan mentioned this pull request Nov 2, 2021
Merged
@tarasbsbr
Copy link

@stefanprodan Just curious, why ECDSA? github seems to recommend ed25519, others do as well?

@antoinedeschenes
Copy link

antoinedeschenes commented Nov 10, 2021
edited
Loading

ECDSA has trust issues all over, Ed25519 could have been a better choice here.

RSA keys aren't going away, just usage of SHA-1 signatures during authentication, which affects older clients.

However as @hiddeco mentioned, looks like golang doesn't handle it yet, even though it's been part of OpenSSH for a while. golang/go#37278

@hiddeco
Copy link
Member

hiddeco commented Nov 10, 2021

Due to various parts of Flux depending on libgit2, the recommendation is different: https://github.blog/2021-09-01-improving-git-protocol-security-github/#libgit2-and-other-git-clients

makkes pushed a commit to fluxcd/website that referenced this pull request Mar 24, 2023
fix note on default key algorithm for bootstrap
784087d 
We changed the default algorithm to ECDSA in fluxcd/flux2#2041.

Signed-off-by: Max Jonas Werner <[email protected]>
@makkes makkes mentioned this pull request Mar 24, 2023
Merged
makkes pushed a commit to fluxcd/website that referenced this pull request Mar 24, 2023
fix note on default key algorithm for bootstrap
2aae21e 
We changed the default algorithm to ECDSA in fluxcd/flux2#2041.

Signed-off-by: Max Jonas Werner <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hiddeco hiddeco hiddeco approved these changes

Assignees
No one assigned
Labels
area/bootstrap Bootstrap related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

GitHub bootstrap: You're using an RSA key with SHA-1, which is no longer allowed.
4 participants
@stefanprodan @hiddeco @tarasbsbr @antoinedeschenes