Prepare to use id_ecdsa in place of id_rsa
RSA is outdated, easily cracked, By default, Fedora disabled support for it, forcing use of newer, more secure keys. To make it work, switch to newer version of the key. Change-Id: Ic9b2df06e931344c1a116106682c517bc8013bf2
This commit is contained in:
parent
1fdc167bec
commit
52978992a1
|
@ -56,8 +56,8 @@ web/share/data
|
|||
|
||||
# logs
|
||||
data/*.log
|
||||
data/id_rsa
|
||||
data/id_rsa.pub
|
||||
data/id_ecdsa
|
||||
data/id_ecdsa.pub
|
||||
|
||||
# local config
|
||||
|
||||
|
|
|
@ -57,7 +57,7 @@ COPY data/elastic-recheck.conf /root/elastic-recheck.conf
|
|||
COPY data/recheckwatchbot.yaml /root/recheckwatchbot.yaml
|
||||
COPY tools/ssh-check.py /root/ssh-check.py
|
||||
# COPY data/crontab /var/spool/cron/crontabs/root
|
||||
COPY data/id_rsa /root/.ssh/id_rsa
|
||||
COPY data/id_ecdsa /root/.ssh/id_ecdsa
|
||||
|
||||
# using root allows us to use same relative paths in configs for running outside
|
||||
# containers, where ./data contains persistent configs and logs.
|
||||
|
|
15
Makefile
15
Makefile
|
@ -44,7 +44,7 @@ ifndef GERRIT_USER
|
|||
endif
|
||||
|
||||
.PHONY: build
|
||||
build: data/id_rsa check-env ## Build image using $(ENGINE)
|
||||
build: data/id_ecdsa check-env ## Build image using $(ENGINE)
|
||||
@echo "Checking that current user can connect to gerit using ssh..."""
|
||||
@python3 ./tools/ssh-check.py
|
||||
$(ENGINE) build -t $(IMAGE_TAG) .
|
||||
|
@ -53,7 +53,7 @@ build: data/id_rsa check-env ## Build image using $(ENGINE)
|
|||
$(ENGINE) run --env GERRIT_USER -it $(IMAGE_TAG) python3 /root/ssh-check.py
|
||||
|
||||
.PHONY: up
|
||||
up: data/id_rsa check-env ## Run containers
|
||||
up: data/id_ecdsa check-env ## Run containers
|
||||
@# validates that container has credentials and connectivity to talk with gerrit server
|
||||
@# Validate the builder image can connect to server
|
||||
@# $(ENGINE) run --env GERRIT_USER -it $(IMAGE_TAG) python3 /root/ssh-check.py
|
||||
|
@ -78,10 +78,10 @@ dive: ## Use `dive` tool to investigate container size
|
|||
# https://github.com/wagoodman/dive
|
||||
dive $(IMAGE_TAG)
|
||||
|
||||
data/id_rsa:
|
||||
data/id_ecdsa:
|
||||
# this key must be unencrypted, so create a spare one for testing and
|
||||
# add it to your gerrit user configuration
|
||||
cp -f ~/.ssh/id_rsa_insecure data/id_rsa
|
||||
cp -f ~/.ssh/id_ecdsa_insecure data/id_ecdsa
|
||||
|
||||
.PHONY: clean
|
||||
clean: ## Use clean to remove all temp files, including container and images but **not** data/
|
||||
|
@ -90,11 +90,10 @@ clean: ## Use clean to remove all temp files, including container and images bu
|
|||
.PHONY: key
|
||||
key: ## Makes a SSH key compatibile with paramiko (overrides existing one)
|
||||
@mkdir -p data
|
||||
@rm data/id_rsa || true
|
||||
@ssh-keygen -q -m PEM -t rsa -b 2048 -f data/id_rsa <<<$$'\n'
|
||||
@ssh-keygen -l -f data/id_rsa
|
||||
@rm data/id_ecdsa || true
|
||||
@ssh-keygen -q -N '' -m PEM -t ecdsa -f data/id_ecdsa
|
||||
@echo "WARN: Please assign key below to your gerrit user using the web interface:"
|
||||
@ssh-keygen -l -f data/id_rsa
|
||||
@ssh-keygen -l -f data/id_ecdsa
|
||||
|
||||
|
||||
.PHONY: wheel
|
||||
|
|
|
@ -19,7 +19,7 @@ channel_config=recheckwatchbot.yaml
|
|||
host=${GERRIT_HOST}
|
||||
user=${GERRIT_USER}
|
||||
query_file=${GERRIT_QUERY_FILE}
|
||||
key=/root/.ssh/id_rsa
|
||||
key=/root/.ssh/id_ecdsa
|
||||
|
||||
[data_source]
|
||||
es_url=${ES_URL}
|
||||
|
|
|
@ -16,7 +16,7 @@ ci_username=jenkins
|
|||
user=os-tripleo-ci
|
||||
host=review.opendev.org
|
||||
query_file=/opt/elastic-recheck/queries
|
||||
key=/root/.ssh/id_rsa
|
||||
key=/root/.ssh/id_ecdsa
|
||||
|
||||
[data_source]
|
||||
es_url=http://logstash.openstack.org:80/elasticsearch
|
||||
|
|
|
@ -28,7 +28,7 @@ def get_options():
|
|||
description='Find rechecks not accounted for in ER')
|
||||
parser.add_argument('-u', '--user', help='Gerrit User',
|
||||
default=getpass.getuser())
|
||||
tryfiles = ('id_gerrit', 'id_rsa', 'id_dsa')
|
||||
tryfiles = ('id_gerrit', 'id_ecdsa', 'id_dsa')
|
||||
default_key = ""
|
||||
for f in tryfiles:
|
||||
trykey = os.path.join(os.path.expanduser("~"), '.ssh', f)
|
||||
|
|
Loading…
Reference in New Issue