From 1d9ae483da3293bc337830e1731a9d5b55223eac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 17 Dec 2024 12:36:57 +0000 Subject: [PATCH] chg: set ECDSA as default egress key algo for new installs --- doc/sphinx/administration/configuration/bastion_conf.rst | 4 ++-- etc/bastion/bastion.conf.dist | 8 ++++---- lib/perl/OVH/Bastion/configuration.inc | 2 +- tests/functional/tests.d/330-selfkeys.sh | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/doc/sphinx/administration/configuration/bastion_conf.rst b/doc/sphinx/administration/configuration/bastion_conf.rst index c1bc155..0510f5b 100644 --- a/doc/sphinx/administration/configuration/bastion_conf.rst +++ b/doc/sphinx/administration/configuration/bastion_conf.rst @@ -282,7 +282,7 @@ defaultAccountEgressKeyAlgorithm :Type: ``string`` -:Default: ``"rsa"`` +:Default: ``"ecdsa"`` The default algorithm to use to create the egress key of a newly created account @@ -293,7 +293,7 @@ defaultAccountEgressKeySize :Type: ``int > 0`` -:Default: ``4096`` +:Default: ``521`` The default size to use to create the egress key of a newly created account (also see ``defaultAccountEgressKeyAlgorithm``) diff --git a/etc/bastion/bastion.conf.dist b/etc/bastion/bastion.conf.dist index b16f7af..7376604 100644 --- a/etc/bastion/bastion.conf.dist +++ b/etc/bastion/bastion.conf.dist @@ -86,13 +86,13 @@ # # defaultAccountEgressKeyAlgorithm (string) # DESC: The default algorithm to use to create the egress key of a newly created account -# DEFAULT: "rsa" -"defaultAccountEgressKeyAlgorithm": "rsa", +# DEFAULT: "ecdsa" +"defaultAccountEgressKeyAlgorithm": "ecdsa", # # defaultAccountEgressKeySize (int > 0) # DESC: The default size to use to create the egress key of a newly created account (also see ``defaultAccountEgressKeyAlgorithm``) -# DEFAULT: 4096 -"defaultAccountEgressKeySize": 4096, +# DEFAULT: 521 +"defaultAccountEgressKeySize": 521, # # moshAllowed (boolean) # DESC: If set to ``true``, mosh usage is allowed (mosh needs to be installed on serverside, obviously). Otherwise, this feature is disabled. diff --git a/lib/perl/OVH/Bastion/configuration.inc b/lib/perl/OVH/Bastion/configuration.inc index 1382c94..137e75b 100644 --- a/lib/perl/OVH/Bastion/configuration.inc +++ b/lib/perl/OVH/Bastion/configuration.inc @@ -325,7 +325,7 @@ sub load_configuration { # 4/6) Strings that must be one item of a specific enum. foreach my $o ( - {name => 'defaultAccountEgressKeyAlgorithm', default => 'rsa', valid => [qw{ rsa ecdsa ed25519 }]}, + {name => 'defaultAccountEgressKeyAlgorithm', default => 'ecdsa', valid => [qw{ rsa ecdsa ed25519 }]}, { name => 'accountMFAPolicy', default => 'enabled', diff --git a/tests/functional/tests.d/330-selfkeys.sh b/tests/functional/tests.d/330-selfkeys.sh index 38b8231..b211aba 100644 --- a/tests/functional/tests.d/330-selfkeys.sh +++ b/tests/functional/tests.d/330-selfkeys.sh @@ -125,10 +125,10 @@ testsuite_selfkeys() tmpfp=$(get_json | $jq '.value|keys[0]') set -e json $(cat <