Tracking task for the SSH AuthN/AuthZ setup for the Automation Framework.
All the evaluation and testing is currently been done in the Labs project automation-framework.
Tracking task for the SSH AuthN/AuthZ setup for the Automation Framework.
All the evaluation and testing is currently been done in the Labs project automation-framework.
Change 318941 had a related patch set uploaded (by Volans):
keyholder: be systemd compatible
Change 318943 had a related patch set uploaded (by Volans):
keyholder: add support for SHA256 key fingerprints
The best option investigated was to use an SSH CA that is authorized across the fleet, create and sign a short-lived certificate for each interaction. This solution has been tested and works fine, but depends on upstream openssh accepting a patch, see the upstream bug and the PR on GitHub. The Puppet code and a small script to generate signed keys on demand from Python are ready to be used if/when the patch will be accepted upstream.
For now a normal SSH key armed with keyholder and with limited authorization on the target hosts will be used instead to not be blocked by this.
Resolving it for now.