In FIPS mode, using RSA keys for ssh is fine as long as SHA-1 is not used for the signature algorithm. Unfortunately, the version of cirros used in OpenStack CI does not have a version of dropbear that supports SHA-2 signatures. So, any connections from a FIPS enabled machine will fail as the cirros instance will only support ssh-rsa (SHA-1 signatures). To get around this, we add a new option to specify the key type (validation.ssh_key_type). This will allow the addition of other key types in future if needed. Tempest now supports 'rsa' and 'ecdsa' key types. We also add a fips job to the experimental queue to test the usage of the new key type. Change-Id: Ib59eb8432fa1a2813b3047955157d1b3d24a55f8changes/65/807465/26
parent
fe0ac89a5a
commit
6ded070b51
@ -0,0 +1,4 @@
|
||||
- hosts: all
|
||||
tasks:
|
||||
- include_role:
|
||||
name: enable-fips
|
@ -0,0 +1,6 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Add parameter to specify the SSH key type. Current options are 'rsa'
|
||||
(which is the default) and 'ecdsa'. Tempest now supports the importing
|
||||
and generation of both 'rsa' and 'ecdsa' SSH key types.
|
Loading…
Reference in new issue