Switch to ecdsa ssh key type by default

As the version of cirros used in OpenStack CI does not support SHA-2
signatures for ssh, any connection from a FIPS enabled machine will fail
in case validation.ssh_key_type is set to rsa (the default until now).
Using ecdsa keys helps us avoid the mentioned issue.

From now on, the validation.ssh_key_type option will be set to ecdsa
by default for testing simplicity.

This change shouldn't have any drastic effect on any tempest consumer,
in case rsa ssh type is required in a consumer's scenario,
validation.ssh_key_type can be overridden to rsa.

Relevant-Bug: #1960692
Change-Id: If9becae119e2a5dc51d4911a0ac9759fbcf24998
This commit is contained in:
Martin Kopec 2022-04-20 17:57:45 +02:00
parent 0afd087cba
commit 75ca0b87c6
2 changed files with 13 additions and 1 deletions

View File

@ -0,0 +1,12 @@
---
upgrade:
- |
As the version of cirros used in OpenStack CI does not support SHA-2
signatures for ssh, any connection from a FIPS enabled machine will fail
in case validation.ssh_key_type is set to rsa (the default until now).
Using ecdsa keys helps us avoid the mentioned issue.
From now on, the validation.ssh_key_type option will be set to ecdsa
by default for testing simplicity.
This change shouldn't have any drastic effect on any tempest consumer,
in case rsa ssh type is required in a consumer's scenario,
validation.ssh_key_type can be overridden to rsa.

View File

@ -974,7 +974,7 @@ ValidationGroup = [
help="Network used for SSH connections. Ignored if "
"connect_method=floating."),
cfg.StrOpt('ssh_key_type',
default='rsa',
default='ecdsa',
help='Type of key to use for ssh connections. '
'Valid types are rsa, ecdsa'),
]