Description of problem: During the undercloud install we check if the stack user already has a rsa ssh key, otherwise we create one: https://github.com/openstack/tripleo-heat-templates/blob/master/extraconfig/post_deploy/undercloud_post.sh#L46 if [ ! -f $HOMEDIR/.ssh/id_rsa ]; then ssh-keygen -b 1024 -N '' -f $HOMEDIR/.ssh/id_rsa fi Unfortunately the latest crypto-policies rpm now enforces a minimum key size of 2048 via: $ grep RSAMinSize /etc/crypto-policies/back-ends/openssh.config RSAMinSize 2048 this breaks ssh to the overcloud nodes. I proposed we let ssh-keygen pick a default based on the os policies here: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/854602 . We should probably look into how we can prevent this change from breaking existing environments where the key needs to be rotated (maybe we can leverage https://bugzilla.redhat.com/show_bug.cgi?id=2025933 ?) rpm version: crypto-policies-20220815-1.git0fbe86f.el9.noarch [root@undercloud-0 ~]# rpm -q --changelog crypto-policies-20220815-1.git0fbe86f.el9.noarch * Mon Aug 15 2022 Alexander Sosedkin <asosedkin> - 20220815-1.git0fbe86f - openssh: add RSAMinSize option following min_rsa_size
Sounds reasonable. Let's back port it to Wallaby and ship it with 17.1
https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2207901
Bulk moving target milestone to GA after the release of Beta on 14th June '23.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2023:4577