fedora33: update-crypto-policies --set LEGACY

Upstream SSH has been claiming for a few releases now that: It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm by default in a near-future release. See hashicorp/vagrant#11783 (comment)
alvistack · Nov 1, 2020 · 59d153b · 59d153b
1 parent fd148ca
commit 59d153b
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/generic-libvirt.json b/generic-libvirt.json
@@ -4298,10 +4298,9 @@
         ]
       ],
       "http_directory": "http",
-      "headless": true,
+      "headless": false,
       "iso_url": "https://dl.fedoraproject.org/pub/fedora/linux/releases/33/Server/x86_64/iso/Fedora-Server-netinst-x86_64-33-1.2.iso",
-      "iso_checksum": "1f1f018e78f0cc23d08db0c85952344ea5c200e67b672da5b07507c066a52ccf",
-      "iso_checksum_type": "sha256",
+      "iso_checksum": "sha256:1f1f018e78f0cc23d08db0c85952344ea5c200e67b672da5b07507c066a52ccf",
       "ssh_username": "root",
       "ssh_password": "vagrant",
       "ssh_port": 22,

diff --git a/scripts/fedora33/tuning.sh b/scripts/fedora33/tuning.sh
@@ -37,3 +37,7 @@ tuned-adm profile virtual-guest
 # Configure grub to wait just 1 second before booting
 sed -i -e 's/^GRUB_TIMEOUT=[0-9]\+$/GRUB_TIMEOUT=1/' /etc/default/grub
 grub2-mkconfig -o /boot/grub2/grub.cfg
+
+# Re-add ssh-rsa to PubkeyAcceptedKeyTypes.
+# https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/b298a9e1
+sed -i "s/^\(PubkeyAcceptedKeyTypes.*\)/\1,ssh-rsa,ssh-rsa-cert-v01@openssh.com/" /etc/crypto-policies/back-ends/opensshserver.config