Introduce SSH cert support by adamlazik1 · Pull Request #867 · theforeman/puppet-foreman_proxy

adamlazik1 · 2025-06-26T08:32:52Z

No description provided.

adamlazik1 · 2025-06-26T08:33:20Z

Depends on: theforeman/smart_proxy_remote_execution_ssh#126

adamlazik1 · 2025-07-11T07:14:52Z

This is now ready for review.

adamlazik1 · 2025-07-11T07:11:06Z

manifests/plugin/ansible.pp

+  }
+  $known_hosts_file_option = $foreman_proxy::plugin::remote_execution::script::ssh_host_ca_public_key ? {
+    undef   => '',
+    default => "-o UserKnownHostsFile=${foreman_proxy::plugin::remote_execution::script::ssh_identity_dir}/known_hosts -o UserKnownHostsFile=${foreman_proxy::plugin::remote_execution::script::ssh_ca_known_hosts_file}",


Same issue as in remote execution. If we have host CA cert available, should we enforce StrictHostKeyChecking?

evgeni · 2025-07-14T12:42:18Z

/packit build

evgeni · 2025-07-14T12:57:22Z

@adamlazik1 could you rebase this please on latest master, so that Packit starts working?

packit-as-a-service · 2025-07-14T12:58:56Z

No config file for packit (e.g. .packit.yaml) found in theforeman/puppet-foreman_proxy on commit 18db7e9

For more info, please check out the documentation or contact the Packit team. You can also use our CLI command config validate or our pre-commit hooks for validation of the configuration.

evgeni · 2025-07-14T13:20:11Z

/packit build

adamlazik1 · 2025-07-14T15:07:14Z

Updated ansible ssh args to enforce strict host key checking if host CA is provided.

lhellebr · 2025-07-15T09:21:55Z

/packit build

packit-as-a-service · 2025-07-15T09:22:02Z

Account lhellebr has no write access nor is author of PR!

evgeni · 2025-07-15T09:24:45Z

/packit build

adamlazik1 · 2025-07-21T09:06:16Z

Switching back to draft since the feature got postponed to 3.16

manifests/plugin/remote_execution/script.pp

lhellebr · 2025-10-30T15:12:59Z

/packit build

packit-as-a-service · 2025-10-30T15:13:07Z

Account lhellebr has no write access nor is author of PR!

adamruzicka · 2025-10-30T15:56:07Z

/packit build

adamruzicka · 2025-12-17T15:27:24Z

@adamlazik1 could you please rebase and then undraft?

adamlazik1 · 2025-12-18T12:05:16Z

/packit build

lhellebr · 2025-12-30T13:05:32Z

/packit build

packit-as-a-service · 2025-12-30T13:05:40Z

Account lhellebr has no write access nor is author of PR!

adamlazik1 · 2026-01-05T11:17:06Z

/packit build

adamruzicka

LGTM

adamruzicka · 2026-01-06T09:35:55Z

manifests/plugin/remote_execution/script.pp

+    $ca_keys_content = file($ssh_host_ca_public_keys_file)
+    $ca_keys_lines = split($ca_keys_content, "\n").filter |$line| { $line =~ /\S/ }
+    $ca_known_hosts_content = $ca_keys_lines.map |$line| { "@cert-authority * ${line}" }.join("\n")


personal preference:
Maybe having this as a template would be easier to read?

I am going to try this out.

Appears to work in the current form. Is this what you had in mind @adamruzicka?

Looks good, thank you

adamlazik1 · 2026-01-06T10:02:16Z

/packit build

ekohl

Debian is failing:

ruby-smart-proxy-dynflow : Depends: ruby-dynflow (< 2.0.0) but 2.0.0-1+debian12 is to be installed
        	E: Unable to correct problems, you have held broken packages.

theforeman/smart_proxy_dynflow@3434e2a is already released in 1.0.0 but this isn't packaged yet. Since it's a relevant area I'd like to get those packaged up and released so the tests can be green. Other than that the PR looks good.

adamruzicka · 2026-01-06T14:10:09Z

theforeman/smart_proxy_dynflow@3434e2a is already released in 1.0.0 but this isn't packaged yet

It's packaged now:

adamlazik1 · 2026-01-08T14:16:57Z

@ekohl The tests are green again. PR ready for merge ✌️

lhellebr · 2026-01-09T09:53:00Z

pr-processor bot added the Not yet reviewed label Jun 26, 2025

adamlazik1 force-pushed the ssh-cert-support branch 5 times, most recently from 702e256 to 18db7e9 Compare July 11, 2025 07:12

adamlazik1 marked this pull request as ready for review July 11, 2025 07:14

adamlazik1 commented Jul 11, 2025

View reviewed changes

pr-processor bot removed the Not yet reviewed label Jul 11, 2025

adamlazik1 force-pushed the ssh-cert-support branch from 18db7e9 to 3759635 Compare July 14, 2025 13:18

adamlazik1 force-pushed the ssh-cert-support branch 2 times, most recently from f6c78c1 to 5e673ed Compare July 14, 2025 15:05

adamlazik1 force-pushed the ssh-cert-support branch from 5e673ed to 3bdd6b6 Compare July 17, 2025 09:39

adamlazik1 marked this pull request as draft July 21, 2025 09:06

adamlazik1 commented Jul 21, 2025

View reviewed changes

manifests/plugin/remote_execution/script.pp Show resolved Hide resolved

adamlazik1 force-pushed the ssh-cert-support branch from 3bdd6b6 to a9906b3 Compare October 22, 2025 11:52

adamlazik1 force-pushed the ssh-cert-support branch 2 times, most recently from b95fb9a to d614cca Compare December 18, 2025 09:42

adamlazik1 marked this pull request as ready for review December 18, 2025 09:42

adamlazik1 force-pushed the ssh-cert-support branch 2 times, most recently from 8164f9a to 844a7ae Compare December 18, 2025 12:04

adamlazik1 force-pushed the ssh-cert-support branch 2 times, most recently from d7986ca to b96bcac Compare December 18, 2025 15:08

adamruzicka approved these changes Jan 6, 2026

View reviewed changes

adamlazik1 marked this pull request as draft January 6, 2026 09:54

adamlazik1 force-pushed the ssh-cert-support branch from 4d5a801 to b39d987 Compare January 6, 2026 12:48

adamlazik1 marked this pull request as ready for review January 6, 2026 12:50

ekohl reviewed Jan 6, 2026

View reviewed changes

adamlazik1 force-pushed the ssh-cert-support branch 3 times, most recently from 985cdab to 2b1d464 Compare January 8, 2026 11:58

Introduce SSH cert support

5f770b5

adamlazik1 force-pushed the ssh-cert-support branch from 2b1d464 to 5f770b5 Compare January 8, 2026 14:05

ekohl approved these changes Jan 9, 2026

View reviewed changes

ekohl added the Enhancement label Jan 9, 2026

ekohl merged commit 648e3d2 into theforeman:master Jan 9, 2026
9 checks passed

adamlazik1 deleted the ssh-cert-support branch January 12, 2026 09:27

Conversation

adamlazik1 commented Jun 26, 2025

Uh oh!

adamlazik1 commented Jun 26, 2025

Uh oh!

adamlazik1 commented Jul 11, 2025

Uh oh!

adamlazik1 Jul 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

evgeni commented Jul 14, 2025

Uh oh!

evgeni commented Jul 14, 2025

Uh oh!

packit-as-a-service bot commented Jul 14, 2025

Uh oh!

evgeni commented Jul 14, 2025

Uh oh!

adamlazik1 commented Jul 14, 2025

Uh oh!

lhellebr commented Jul 15, 2025

Uh oh!

packit-as-a-service bot commented Jul 15, 2025

Uh oh!

evgeni commented Jul 15, 2025

Uh oh!

adamlazik1 commented Jul 21, 2025

Uh oh!

Uh oh!

lhellebr commented Oct 30, 2025

Uh oh!

packit-as-a-service bot commented Oct 30, 2025

Uh oh!

adamruzicka commented Oct 30, 2025

Uh oh!

adamruzicka commented Dec 17, 2025

Uh oh!

adamlazik1 commented Dec 18, 2025

Uh oh!

lhellebr commented Dec 30, 2025

Uh oh!

packit-as-a-service bot commented Dec 30, 2025

Uh oh!

adamlazik1 commented Jan 5, 2026

Uh oh!

adamruzicka left a comment

Choose a reason for hiding this comment

Uh oh!

adamruzicka Jan 6, 2026

Choose a reason for hiding this comment

Uh oh!

adamlazik1 Jan 6, 2026

Choose a reason for hiding this comment

Uh oh!

adamlazik1 Jan 6, 2026

Choose a reason for hiding this comment

Uh oh!

adamruzicka Jan 6, 2026

Choose a reason for hiding this comment

Uh oh!

adamlazik1 commented Jan 6, 2026

Uh oh!

ekohl left a comment

Choose a reason for hiding this comment

Uh oh!

adamruzicka commented Jan 6, 2026

Uh oh!

adamlazik1 commented Jan 8, 2026

Uh oh!

lhellebr commented Jan 9, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

adamlazik1 Jul 11, 2025 •

edited

Loading