Prepare to use id_ecdsa in place of id_rsa

RSA is outdated, easily cracked, By default, Fedora
disabled support for it, forcing use of newer, more
secure keys.

To make it work, switch to newer version of the key.

Change-Id: Ic9b2df06e931344c1a116106682c517bc8013bf2

.gitignore

@@ -56,8 +56,8 @@ web/share/data
 
 # logs
 data/*.log
-data/id_rsa
-data/id_rsa.pub
+data/id_ecdsa
+data/id_ecdsa.pub
 
 # local config
 

Dockerfile

@@ -57,7 +57,7 @@ COPY data/elastic-recheck.conf /root/elastic-recheck.conf
 COPY data/recheckwatchbot.yaml /root/recheckwatchbot.yaml
 COPY tools/ssh-check.py  /root/ssh-check.py
 # COPY data/crontab  /var/spool/cron/crontabs/root
-COPY data/id_rsa  /root/.ssh/id_rsa
+COPY data/id_ecdsa  /root/.ssh/id_ecdsa
 
 # using root allows us to use same relative paths in configs for running outside
 # containers, where ./data contains persistent configs and logs.

Makefile

@@ -44,7 +44,7 @@ ifndef GERRIT_USER
 endif
 
 .PHONY: build
-build: data/id_rsa check-env  ## Build image using $(ENGINE)
+build: data/id_ecdsa check-env  ## Build image using $(ENGINE)
 	@echo "Checking that current user can connect to gerit using ssh..."""
 	@python3 ./tools/ssh-check.py
 	$(ENGINE) build -t $(IMAGE_TAG) .
@@ -53,7 +53,7 @@ build: data/id_rsa check-env  ## Build image using $(ENGINE)
 	$(ENGINE) run --env GERRIT_USER -it $(IMAGE_TAG) python3 /root/ssh-check.py
 
 .PHONY: up
-up: data/id_rsa check-env ## Run containers
+up: data/id_ecdsa check-env ## Run containers
 	@# validates that container has credentials and connectivity to talk with gerrit server
 	@# Validate the builder image can connect to server
 	@# $(ENGINE) run --env GERRIT_USER -it $(IMAGE_TAG) python3 /root/ssh-check.py
@@ -78,10 +78,10 @@ dive:  ## Use `dive` tool to investigate container size
 	# https://github.com/wagoodman/dive
 	dive $(IMAGE_TAG)
 
-data/id_rsa:
+data/id_ecdsa:
 	# this key must be unencrypted, so create a spare one for testing and
 	# add it to your gerrit user configuration
-	cp -f ~/.ssh/id_rsa_insecure data/id_rsa
+	cp -f ~/.ssh/id_ecdsa_insecure data/id_ecdsa
 
 .PHONY: clean
 clean:  ## Use clean to remove all temp files, including container and images but **not** data/
@@ -90,11 +90,10 @@ clean:  ## Use clean to remove all temp files, including container and images bu
 .PHONY: key
 key: ## Makes a SSH key compatibile with paramiko (overrides existing one)
 	@mkdir -p data
-	@rm data/id_rsa || true
-	@ssh-keygen -q -m PEM -t rsa -b 2048 -f data/id_rsa <<<$$'\n'
-	@ssh-keygen -l -f data/id_rsa
+	@rm data/id_ecdsa || true
+	@ssh-keygen -q -N '' -m PEM -t ecdsa -f data/id_ecdsa
 	@echo "WARN: Please assign key below to your gerrit user using the web interface:"
-	@ssh-keygen -l -f data/id_rsa
+	@ssh-keygen -l -f data/id_ecdsa
 
 
 .PHONY: wheel

data/elastic-recheck.conf

@@ -19,7 +19,7 @@ channel_config=recheckwatchbot.yaml
 host=${GERRIT_HOST}
 user=${GERRIT_USER}
 query_file=${GERRIT_QUERY_FILE}
-key=/root/.ssh/id_rsa
+key=/root/.ssh/id_ecdsa
 
 [data_source]
 es_url=${ES_URL}

elasticRecheck.conf.sample

@@ -16,7 +16,7 @@ ci_username=jenkins
 user=os-tripleo-ci
 host=review.opendev.org
 query_file=/opt/elastic-recheck/queries
-key=/root/.ssh/id_rsa
+key=/root/.ssh/id_ecdsa
 
 [data_source]
 es_url=http://logstash.openstack.org:80/elasticsearch

tools/unaccounted_rechecks.py

@@ -28,7 +28,7 @@ def get_options():
         description='Find rechecks not accounted for in ER')
     parser.add_argument('-u', '--user', help='Gerrit User',
                         default=getpass.getuser())
-    tryfiles = ('id_gerrit', 'id_rsa', 'id_dsa')
+    tryfiles = ('id_gerrit', 'id_ecdsa', 'id_dsa')
     default_key = ""
     for f in tryfiles:
         trykey = os.path.join(os.path.expanduser("~"), '.ssh', f)