Change default remote execution ssh-key

Problem:
Fedora 34 hosts does not allow ssh-rsa pubkeyAlgorithm in DEFAULT crypto policy so remote execution towards my provisioned fedora 34 hosts is denied.

Expected outcome:
Of course I want remote execution to work so I’m trying to upgrade ssh-key to ed25519

Foreman and Proxy versions:
2.2.3 and 2.5.1

Foreman and Proxy plugin versions:
foreman_tasks = 4.1.2
foreman_remote_execution = 4.5.1

Distribution and version:
I kickstart Centos 7, 8 and Fedora 34.

Other relevant data:
I have an ansible user created and pubkey deployed during kickstart and want to use that account for both ansible runs as well as remote execution. Have set that up under Administer → Settings → {Ansible, RemoteExecution}
I join all hosts succcessfully to my freeIPA realm.
Remote execution works towards Centos7,8 with default key but fails towards F34 but when I try to upgrade to ed25519 key with command:

foreman-installer --scenario katello --foreman-proxy-plugin-remote-execution-ssh-ssh-identity-file id_ed25519_foreman_proxy

the file /etc/foreman-proxy/settings.d/remote_execution_ssh.yml is updated with the new value and the new key is deployed during kickstart. However, when trying a remote execution towards the clients the command hangs forever (until you “force cancel” it in the “Tasks” list).

Is there a tutorial on how to upgrade the remote execution key somewhere? I haven’t found any.
I use the same ed25519 key for ansible runs and they work as expected in both 2.2.3 and 2.5.1. I can also ssh to the client with the ed25519 key (se logs below). 192.168.57.2 is foreman server. Ellen-ciprian is fedora 34 client.

Here are some logs:

client# “journalctl -u sshd” output at client when trying a remote execution job:
(as you can se it disconnects after ~25 secs without authentication attempt)

aug 04 22:20:23 ellen-ciprian.domain.tld sshd[3205]: Accepted publickey for ansible from 192.168.57.2 port 44202 ssh2: ED25519 SHA256:64GuV3DXHz1IwNNnWj5mC0z4VuGFO9cqO8M+YHUwM+8
aug 04 22:20:23 ellen-ciprian.domain.tld sshd[3205]: pam_unix(sshd:session): session opened for user ansible(uid=2222) by (uid=0)
aug 04 22:22:49 ellen-ciprian.domain.tld sshd[17080]: Connection closed by 192.168.57.2 port 44348 [preauth]

Logging in with ssh-key:

foreman-server# sudo -u foreman-proxy ssh -i id_ed25519_foreman_proxy ansible@ellen-ciprian.domain.tld -vvvv
(this logs me in without problem)

journalctl -u sshd at client:
aug 04 22:28:21 ellen-ciprian.domain.tld sshd[17099]: Accepted publickey for ansible from 192.168.57.2 port 44370 ssh2: ED25519 SHA256:64GuV3DXHz1IwNNnWj5mC0z4VuGFO9cqO8M+YHUwM+8
aug 04 22:28:21 ellen-ciprian.domain.tld sshd[17099]: pam_unix(sshd:session): session opened for user ansible(uid=2222) by (uid=0)

ssh-output at foreman server:

debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: id_ed25519_foreman_proxy ED25519 SHA256:64GuV3DXHz1IwNNnWj5mC0z4VuGFO9cqO8M+YHUwM+8 explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: id_ed25519_foreman_proxy ED25519 SHA256:64GuV3DXHz1IwNNnWj5mC0z4VuGFO9cqO8M+YHUwM+8 explicit
debug3: sign_and_send_pubkey: ED25519 SHA256:64GuV3DXHz1IwNNnWj5mC0z4VuGFO9cqO8M+YHUwM+8
debug3: sign_and_send_pubkey: signing using ssh-ed25519
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to ellen-ciprian.domain.tld ([192.168.57.246]:22).

I had to put some effort in removing old entries in all known_hosts files.
/root/.ssh/known_hosts
/usr/share/foreman-proxy/.ssh/known_hosts
/var/lib/sss/pubconf/known_hosts

I also have changed the host key in my freeIPA server.

Any help would be apreciated.

Regards,
/F

Support for ed25519 keys is not there yet. It is being worked on and it is getting close, but still not there yet. As an altetnative, you could use ansible or reconfigure the crypto policy on the fedora machines.

1 Like

OK, thanks for your answer. Should I take it as support for non-rsa is not supported or are there other key types I could try?

dsa and ecdsa seem to work for me when running a rex job from Foreman 2.5 against an EL7 client, just make sure to generate them in pem format. I’m not sure if those will work against latest fedora, but it is worth a try.

The ecdsa in PEM format did the trick. Now I can run rex jobs against F34 with the ecdsa-key and ansible jobs with the ed25519-key.

Thanks a lot.

1 Like