Re: bastion ssh host key change 2023-03-29

On Thu, Mar 30, 2023 at 04:11:45PM -0400, Frank Ch. Eigler wrote: > Hi - > >> The VerifyHostKeyDNS does require secure DNS to avoid any >> confirmation prompt. Without DNSSEC, `VerifyHostKeyDNS yes` >> is the same as `VerifyHostKeyDNS ask`. > > OK, that's one thing to check/fix. Ah yeah, that could well be the case. >> Perhaps that's the issue in Frank's case? > > Plus: bastion-iad01.fedoraproject.org. appears to lack the SSHFP records. We should drop that from dns. It was only used when we were moving from phx2 to iad2. There should be 3 things in dns: bastion01.fedoraproject.org bastion02.fedoraproject.org bastion.fedoraproject.org with the last one being a CNAME for whichever one is default (currently 01). Anyhow, the ssh access SOP should be updated with all this info. Probibly sshfp isn't worth doing these days and we should just stick with the certificate signed config.