[ovirt-devel] Support for SSH keys other than RSA

Hi, I have been recently working on adding support for SSH keys other than RSA (communication between ovirt-engine and hosts(VDS-es)). The entire effort is tracked in Bugzilla [1]. There are couple important changes I would like to share with you. First and the most important is changing the way connection is verified. Previously fingerprints (by default SHA-256 unless changed via configuration) were used to verify if the connection between the engine and the host could be established. Now public keys are compared instead (with one exception for backward compatibility). For backward compatibility ie. for previously added (legacy) hosts with fingerprint calculated out of RSA public key (the key not stored in db) the verification is done as before that means we compare fingerprints only. After upgrade the whole setup is expected to work without any manual intervention. However, there are couple of options to 'migrate' legacy fingerprint to whatever ssh server finds the strongest on the host: 1) In database remove sshkeyfingerprint value ie. update vds_static set sshkeyfingerprint='' where vds_id = 'PUT_HERE_HOST_ID' 2) REST:prepare request with blank fingerprint for 'legacy' hosts Please see the (documentation [2]). Fingerprint and public key will be re-entered, 3) reinstall host / install new host 4) manually deploy key and update host's VDS_static.sshkeyfingerprint and vds_static.public_key On engine's UI side there is still a way to fetch fingerprints (on 'New Host' panel but we anticipate that soon there will be a public key (open ssh format) instead. Please let me know if you have any questions, doubts or if you encounter any issues around this area. Patches (referenced in BZ[1]) has been merged into master and this feature is expected to go with 4.4.5 upstream release. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1837221 [2] https://jenkins.ovirt.org/job/ovirt-engine-api-model_standard-check-patch... best, Artur