From 75ca0b87c6957aa21d4945cc698a2a39e544185d Mon Sep 17 00:00:00 2001 From: Martin Kopec Date: Wed, 20 Apr 2022 17:57:45 +0200 Subject: [PATCH] Switch to ecdsa ssh key type by default As the version of cirros used in OpenStack CI does not support SHA-2 signatures for ssh, any connection from a FIPS enabled machine will fail in case validation.ssh_key_type is set to rsa (the default until now). Using ecdsa keys helps us avoid the mentioned issue. From now on, the validation.ssh_key_type option will be set to ecdsa by default for testing simplicity. This change shouldn't have any drastic effect on any tempest consumer, in case rsa ssh type is required in a consumer's scenario, validation.ssh_key_type can be overridden to rsa. Relevant-Bug: #1960692 Change-Id: If9becae119e2a5dc51d4911a0ac9759fbcf24998 --- ...dsa-ssh-key-type-by-default-0425b5d5ec72c1c3.yaml | 12 ++++++++++++ tempest/config.py | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/Switch-to-ecdsa-ssh-key-type-by-default-0425b5d5ec72c1c3.yaml diff --git a/releasenotes/notes/Switch-to-ecdsa-ssh-key-type-by-default-0425b5d5ec72c1c3.yaml b/releasenotes/notes/Switch-to-ecdsa-ssh-key-type-by-default-0425b5d5ec72c1c3.yaml new file mode 100644 index 0000000000..5fc316bdb8 --- /dev/null +++ b/releasenotes/notes/Switch-to-ecdsa-ssh-key-type-by-default-0425b5d5ec72c1c3.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + As the version of cirros used in OpenStack CI does not support SHA-2 + signatures for ssh, any connection from a FIPS enabled machine will fail + in case validation.ssh_key_type is set to rsa (the default until now). + Using ecdsa keys helps us avoid the mentioned issue. + From now on, the validation.ssh_key_type option will be set to ecdsa + by default for testing simplicity. + This change shouldn't have any drastic effect on any tempest consumer, + in case rsa ssh type is required in a consumer's scenario, + validation.ssh_key_type can be overridden to rsa. diff --git a/tempest/config.py b/tempest/config.py index b4d489163c..75c73c738f 100644 --- a/tempest/config.py +++ b/tempest/config.py @@ -974,7 +974,7 @@ ValidationGroup = [ help="Network used for SSH connections. Ignored if " "connect_method=floating."), cfg.StrOpt('ssh_key_type', - default='rsa', + default='ecdsa', help='Type of key to use for ssh connections. ' 'Valid types are rsa, ecdsa'), ]