Tuesday, 2020-10-13

« Monday, 2020-10-12 Index Wednesday, 2020-10-14 »
*** jamesmcarthur has quit IRC00:04
*** jamesmcarthur has joined #openstack-infra00:05
*** jamesmcarthur has quit IRC00:09
*** Goneri has quit IRC00:10
*** jamesmcarthur has joined #openstack-infra00:27
*** gyee has quit IRC00:54
*** jamesmcarthur has quit IRC01:05
*** Tengu_ has joined #openstack-infra01:16
*** Tengu has quit IRC01:19
*** Tengu has joined #openstack-infra01:21
*** Tengu_ has quit IRC01:22
*** jamesmcarthur has joined #openstack-infra01:32
*** larsks has joined #openstack-infra01:48
*** jamesmcarthur has quit IRC01:49
*** jamesmcarthur has joined #openstack-infra01:49
*** jamesmcarthur has quit IRC01:54
*** jamesmcarthur has joined #openstack-infra02:24
*** kenkenen0 has quit IRC02:28
*** jamesmcarthur has quit IRC02:34
*** dviroel has quit IRC02:44
*** jamesmcarthur has joined #openstack-infra03:08
*** jamesmcarthur has quit IRC03:11
*** jamesmcarthur has joined #openstack-infra03:11
*** ysandeep|away is now known as ysandeep03:13
*** ramishra has quit IRC03:20
*** jamesmcarthur has quit IRC03:20
*** psachin has joined #openstack-infra03:23
*** zxiiro has joined #openstack-infra03:23
*** ysandeep is now known as ysandeep|afk03:47
*** ramishra has joined #openstack-infra03:48
*** tonyb has quit IRC04:10
*** jamesmcarthur has joined #openstack-infra04:25
*** jamesmcarthur has quit IRC04:29
*** evrardjp has quit IRC04:33
*** evrardjp has joined #openstack-infra04:33
*** ykarel|away has joined #openstack-infra04:34
*** ykarel|away is now known as ykarel04:44
*** hongbin has quit IRC04:59
*** ykarel_ has joined #openstack-infra05:03
*** ykarel has quit IRC05:04
*** matt_kosut has joined #openstack-infra05:13
*** tkajinam has quit IRC05:21
*** tkajinam has joined #openstack-infra05:22
*** ykarel_ is now known as ykarel05:22
*** chenil has joined #openstack-infra05:31
*** zxiiro has quit IRC05:34
*** vishalmanchanda has joined #openstack-infra05:35
*** sboyron has joined #openstack-infra05:36
*** ysandeep|afk is now known as ysandeep05:43
*** bdodd has quit IRC05:55
*** bdodd has joined #openstack-infra05:57
*** ricolin has quit IRC06:00
*** psachin has quit IRC06:20
*** elod_pto is now known as elod06:38
*** eolivare has joined #openstack-infra06:40
*** dklyle has quit IRC06:43
*** hashar has joined #openstack-infra06:52
*** slaweq has joined #openstack-infra06:57
*** jtomasek has joined #openstack-infra07:01
*** ralonsoh has joined #openstack-infra07:02
*** psachin has joined #openstack-infra07:04
*** andrewbonney has joined #openstack-infra07:08
*** jcapitao has joined #openstack-infra07:17
*** tosky has joined #openstack-infra07:26
*** rpittau|afk is now known as rpittau07:27
*** SpamapS has quit IRC07:35
*** gfidente has joined #openstack-infra07:36
*** chenil has quit IRC07:42
*** SpamapS has joined #openstack-infra07:52
*** rcernin has quit IRC07:52
*** jpena|off is now known as jpena07:57
*** lucasagomes has joined #openstack-infra08:05
*** ricolin has joined #openstack-infra08:06
*** lbragstad has quit IRC08:08
*** piotrowskim has joined #openstack-infra08:19
*** tetsuro has joined #openstack-infra08:22
*** pmannidi has quit IRC08:24
*** pmannidi has joined #openstack-infra08:24
*** tetsuro has quit IRC08:27
*** priteau has joined #openstack-infra08:33
*** ociuhandu has joined #openstack-infra08:34
*** ociuhandu has quit IRC08:35
*** ociuhandu has joined #openstack-infra08:35
*** rcernin has joined #openstack-infra08:44
*** derekh has joined #openstack-infra08:44
*** jtomasek has quit IRC08:52
*** jtomasek has joined #openstack-infra08:55
*** ramishra has quit IRC08:56
*** ramishra has joined #openstack-infra08:57
*** lbragstad has joined #openstack-infra09:04
*** dtantsur|afk is now known as dtantsur09:06
openstackgerritMoisés Guimarães proposed openstack/pbr master: Adding pre-commit  https://review.opendev.org/74216009:16
*** hashar has quit IRC09:17
*** psachin has quit IRC09:20
*** psachin has joined #openstack-infra09:22
*** rcernin has quit IRC09:33
*** rcernin has joined #openstack-infra09:34
*** jtomasek has quit IRC09:36
*** jamesmcarthur has joined #openstack-infra09:38
*** jamesmcarthur has quit IRC09:42
*** vishalmanchanda has quit IRC09:44
*** rcernin has quit IRC09:58
*** rcernin has joined #openstack-infra09:59
*** rcernin has quit IRC10:14
*** rcernin has joined #openstack-infra10:25
*** vishalmanchanda has joined #openstack-infra10:25
*** priteau has quit IRC10:30
*** jcapitao is now known as jcapitao_lunch10:33
*** dchen has quit IRC10:58
*** psachin has quit IRC11:00
*** dviroel has joined #openstack-infra11:26
*** jpena is now known as jpena|lunch11:31
*** lpetrut has joined #openstack-infra11:37
*** eolivare has quit IRC11:41
*** eolivare has joined #openstack-infra11:42
*** zxiiro has joined #openstack-infra11:56
*** ysandeep is now known as ysandeep|brb11:56
weshayproxy error on gerrit11:58
weshayfyi11:58
*** rlandy has joined #openstack-infra11:58
*** rlandy is now known as rlandy|rover11:58
sboyronweshay +111:59
*** witek_ has joined #openstack-infra12:02
*** jcapitao_lunch is now known as jcapitao12:04
*** ysandeep|brb is now known as ysandeep12:08
*** hongbin has joined #openstack-infra12:09
*** rfolco has joined #openstack-infra12:10
*** rcernin has quit IRC12:11
ttx+112:18
fungidiscussion in #opendev but it should be responding again now12:22
sboyronfungi ok, thx, yes it's working now12:24
*** jpena|lunch is now known as jpena12:31
*** Goneri has joined #openstack-infra12:54
*** openstackgerrit has quit IRC13:17
*** dwalt has joined #openstack-infra13:42
*** mihalis68_ has joined #openstack-infra13:44
*** hongbin has quit IRC13:52
*** larsks has quit IRC13:56
*** jamesmcarthur has joined #openstack-infra13:56
*** larsks has joined #openstack-infra13:58
*** dklyle has joined #openstack-infra14:12
*** artom has joined #openstack-infra14:18
*** redrobot has quit IRC14:22
*** ysandeep is now known as ysandeep|away14:25
*** jamesdenton has quit IRC14:31
*** jamesmcarthur has quit IRC14:38
*** jamesmcarthur has joined #openstack-infra14:40
*** jamesdenton has joined #openstack-infra14:42
*** hongbin has joined #openstack-infra14:46
*** ociuhandu_ has joined #openstack-infra14:50
*** jamesmcarthur has quit IRC14:51
*** lpetrut has quit IRC14:51
*** ociuhandu has quit IRC14:54
*** jamesmcarthur has joined #openstack-infra14:58
*** SpamapS has quit IRC15:10
*** SpamapS has joined #openstack-infra15:10
*** smcginnis has quit IRC15:17
*** ykarel is now known as ykarel|away15:18
*** smcginnis has joined #openstack-infra15:30
*** jamesmcarthur has quit IRC15:33
*** otherwiseguy_ is now known as otherwiseguy15:41
*** dtantsur is now known as dtantsur|afk15:42
*** ociuhandu_ has quit IRC15:46
*** ociuhandu has joined #openstack-infra15:47
*** jamesmcarthur has joined #openstack-infra15:49
*** ykarel|away has quit IRC15:50
*** gyee has joined #openstack-infra15:54
*** lucasagomes has quit IRC16:03
*** witek_ has quit IRC16:07
*** rpittau is now known as rpittau|afk16:21
*** SotK has quit IRC16:27
*** jcapitao has quit IRC16:28
*** SotK has joined #openstack-infra16:29
EmilienMfungi, clarkb : FYI I'm debugging ssh issues against review.opendev.org16:31
*** rpittau|afk has quit IRC16:31
EmilienMand it seems related to the new version of openssh shipped in fedora 33 beta16:31
EmilienMwhich has stronger requirements and our version of Gerrit seems too old16:31
EmilienMhttp://paste.openstack.org/show/hG6lhK3Aw2d8rqDoYNRE/16:32
EmilienMi'll let you know what I find16:32
fungiEmilienM: thanks, curious to find out what you discover16:32
EmilienMit's the /etc/crypto-policies/back-ends/openssh.config that is shipped in f3316:33
EmilienMhttps://www.diffchecker.com/hAA6vbTQ16:33
EmilienMthe one on the left works fine against our gerrit16:34
EmilienMthe one on the right doesn't16:34
fungiEmilienM: we also have an upgraded gerrit at review-test.opendev.org you might want to compare against (it's got a snapshot of our production data from the beginning of the month)16:34
EmilienMI reverted the changes done in /etc/crypto-policies/back-ends/openssh.config16:34
EmilienMto put the f32 content16:34
*** rpittau|afk has joined #openstack-infra16:34
clarkbI'm on tumbleweed and it works fine16:34
fungisame here on debian unstable, fwiw16:34
clarkbya I expect its a config/policy issye not the software istelf16:34
fungisounds like fedora got more restictive with allowed cipher suites16:35
EmilienMyeah16:35
EmilienMI'll dig after lunch, and let you know what I find16:35
fungithey dropped aes256-cbc from ciphers16:36
clarkbalso dont forget to set up your btrfs defrag schedule :P16:36
* clarkb just ran into that after running out of disk while supposedly having plenty16:36
fungiand dropped ssh-rsa,ssh-rsa-cert-v01@openssh.com from pubkeyacceptedkeytypes16:39
fungii expect it's the loss of ssh-rsa which did it16:39
*** priteau has joined #openstack-infra16:39
fungiEmilienM: https://marcin.juszkiewicz.com.pl/2020/09/30/upgraded-to-fedora-33/16:40
clarkbwhy would they drop ssh-rsa?16:41
fungiinterestingly debian's openssh 8.3p1 doesn't drop it16:41
clarkbya because rsa is still good aiui16:41
fungiconcern over chosen-prefix attacks16:43
fungithe deprecation notice in 8.3 recommends using rsa-sha2-256/512, ssh-ed25519, or ecdsa-sha2-nistp256/384/52116:43
*** hamalq has joined #openstack-infra16:44
clarkbfungi: PubkeyAcceptedKeyTypes +rsa-sha2-256,rsa-sha2-512 <- is the workaround from marcin16:44
clarkbso fedora is dropping the recommended rsa's too?16:44
fungiapparently it's 8.4 which removes it by default, and i guess f33 updated to that but tumbleweed and sid have not yet16:45
clarkbgotcha16:46
fungiahh, no, 8.4 doesn't say that it's dropped from defaults either: https://www.openssh.com/releasenotes.html16:46
clarkbya I expect fedora has done a more restrictive configuration16:47
clarkbone that goes beyond openssh's recommendations16:47
clarkbbut need to check if gerrit 2.13 will do a sha2  256 rsa hostkey?16:48
clarkbya ok so gerrit won't do the sha25616:49
clarkbreview-test will16:49
clarkbas a side note https can be used instead if people prefer16:50
clarkband its the use of sha1 to verify host key signatures not rsa itself that is the problem. I'm not completely crazy in remember rsa is fine16:52
fungiright, which is why the rsa-sha2-* types are still acceptable16:53
*** ociuhandu_ has joined #openstack-infra16:54
clarkband openssh itself has warned a future release will remove ssh-rsa but the current release has not yet done so16:54
fungigranted i'm struggling to think of how an attacker could leverage that in the case of our gerrit deployment. they couldn't really use it to fully hijack the session because they don't have the user's private key16:55
clarkbthey could replace the data pushed to gerrit?16:56
fungithey could impersonate our gerrit and cause people to think they were issuing commands/pushing to us when they weren't16:56
*** ociuhandu has quit IRC16:57
fungithey couldn't push something to us though, because they can't authenticate to our gerrit on behalf of the user without also compromising the user's private key, at which point there's no need to hijack anything anyway16:57
clarkbah16:57
fungithey might be able to serve backdoored versions of changes to users over ssh, e.g. git fetch16:57
*** ociuhandu_ has quit IRC16:58
clarkbnew gerrit doesn't show you host keys in the web ui?16:58
clarkbthat is a disappointing regression16:58
fungiit's not like impersonating your shell account where you might then log into what you think is your shell and sudo something and enter your password at a sudo password prompt and then because you're not too bright and have allowed ssh password auth for your shell server the attacker then has your account login and can take over your real account16:59
clarkbya I expect we can continue to live with this until we upgrade in a month or two16:59
clarkbsince openssh hasn't even removed it by default16:59
*** derekh has quit IRC17:00
*** bdodd has quit IRC17:00
*** ykarel|away has joined #openstack-infra17:01
fungiit's also not like we're encouraging unsafe configuration, we can recommend users temporarily stick a Host review.opendev.org override in their ~/.ssh/config with PubkeyAcceptedKeyTypes +ssh-rsa17:02
fungiEmilienM: ^ curious if that solves if for you, btw17:02
*** jpena is now known as jpena|off17:05
*** ykarel|away has quit IRC17:14
*** gfidente is now known as gfidente|afk17:21
*** Guest75569 has joined #openstack-infra17:21
*** Guest75569 is now known as redrobot17:23
*** jamesmcarthur has quit IRC17:25
*** vesper11 has joined #openstack-infra17:25
*** ociuhandu has joined #openstack-infra17:27
*** andrewbonney has quit IRC17:28
*** eolivare has quit IRC17:30
*** ociuhandu has quit IRC17:32
*** jamesmcarthur has joined #openstack-infra17:41
EmilienMfungi: thanks for the link, I didn't see it before17:42
*** bdodd has joined #openstack-infra17:42
EmilienMfungi: yes the workaround works for me17:46
fungiawesome, thanks for confirming17:47
EmilienMfor the record I hate installing f33 on my work laptop but I'm having strange issues with the new work laptop and thought using latest would help17:47
clarkbEmilienM: I run tumbleweed to try and be canary for things like this but I guess their security stance is less strict than fedora's17:48
EmilienMclarkb: thx for the defrag tip, I'll take it17:48
clarkbEmilienM: I think the command is call rebalance or something17:48
clarkbEmilienM: it is functionally similar to a defrag17:48
*** harlowja has joined #openstack-infra17:51
*** priteau has quit IRC17:53
*** priteau has joined #openstack-infra17:54
*** ralonsoh has quit IRC18:00
*** priteau has quit IRC18:01
*** piotrowskim has quit IRC18:05
*** rlandy|rover is now known as rlandy|rover|brb18:14
*** sshnaidm is now known as sshnaidm|afk18:24
*** sboyron has quit IRC18:44
*** rlandy|rover|brb is now known as rlandy|rover18:55
*** hashar has joined #openstack-infra18:57
*** dwalt has quit IRC19:22
*** matt_kosut has quit IRC20:13
*** gfidente|afk has quit IRC20:26
*** zxiiro has quit IRC20:28
*** hashar has quit IRC20:30
*** iurygregory has quit IRC20:50
*** iurygregory has joined #openstack-infra20:50
*** jamesmcarthur has quit IRC20:51
*** ociuhandu has joined #openstack-infra20:55
*** jamesmcarthur has joined #openstack-infra20:56
*** rfolco has quit IRC21:12
*** rfolco has joined #openstack-infra21:14
*** jamesmcarthur has quit IRC21:19
*** jamesmcarthur has joined #openstack-infra21:26
*** ociuhandu has quit IRC21:43
*** artom has quit IRC21:49
*** artom has joined #openstack-infra21:50
*** rfolco has quit IRC22:10
*** rcernin has joined #openstack-infra22:16
*** vishalmanchanda has quit IRC22:34
*** ociuhandu has joined #openstack-infra22:38
*** ociuhandu has quit IRC22:42
*** rcernin has quit IRC22:45
*** rcernin has joined #openstack-infra22:50
*** rcernin has quit IRC22:51
*** rcernin has joined #openstack-infra22:51
*** rfolco has joined #openstack-infra22:53
*** artom has quit IRC23:01
*** artom has joined #openstack-infra23:03
*** artom has quit IRC23:04
*** artom has joined #openstack-infra23:04
*** slaweq has quit IRC23:08
*** rfolco has quit IRC23:13
*** jamesdenton has quit IRC23:20
*** jamesdenton has joined #openstack-infra23:20
*** samP has quit IRC23:21
*** matbu has quit IRC23:22
*** bnemec has quit IRC23:22
*** matbu has joined #openstack-infra23:23
*** zigo has quit IRC23:23
*** bnemec has joined #openstack-infra23:24
*** samP has joined #openstack-infra23:26
*** harlowja has quit IRC23:29
*** pmannidi has quit IRC23:33
*** pmannidi has joined #openstack-infra23:33
*** tosky has quit IRC23:40
*** rfolco has joined #openstack-infra23:41
*** dchen has joined #openstack-infra23:47
*** Goneri has quit IRC23:48
*** artom has quit IRC23:52
« Monday, 2020-10-12 Index Wednesday, 2020-10-14 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!