From 8933e517fbbfffbb86a34d52dd34a500e6452159 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Fri, 9 May 2025 20:49:02 -0500 Subject: [PATCH] fedora-common: Do not configure SSH host cert When the SSH daemon is already configured to use an SSH host certificate but the specified certificate file does not exist, then the server will not try to use it later once it is created. This essentially means that the certificate obtained during first boot will not be used untile the SSH daemon is restarted. Rather than try to set all of this up in the kickstart, it's probably better to just let Ansible do it. Then, the SSH daemon can be restarted as needed automatically (by the host provisioner). --- fedora-common.ks | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/fedora-common.ks b/fedora-common.ks index 5206dce..7dee6ed 100644 --- a/fedora-common.ks +++ b/fedora-common.ks @@ -38,7 +38,7 @@ sshca-cli-systemd systemd-networkd %end -services --enabled systemd-networkd,systemd-resolved,ssh-host-certs-renew.timer,ssh-host-certs.target --disabled systemd-homed,systemd-nsresourced,systemd-nsresourced.socket,systemd-userdbd,systemd-userdbd.socket +services --enabled systemd-networkd,systemd-resolved --disabled systemd-homed,systemd-nsresourced,systemd-nsresourced.socket,systemd-userdbd,systemd-userdbd.socket %addon com_redhat_kdump --disable %end @@ -62,14 +62,6 @@ cat >> /etc/ssh/sshd_config.d/70-trustedusercakeys.conf <<'EOF' TrustedUserCAKeys /etc/ssh/ca.pub EOF -# Configure SSH daemon to use host certificates obtained from SSHCA -cat > /etc/sysconfig/ssh-host-cert-sign < /etc/ssh/sshd_config.d/10-hostcertificate.conf - # Configure networking with systemd-networkd # Use MAC address as client ID to keep the same lease from Anaconda rm -rf /etc/sysconfig/network-scripts /etc/sysconfig/network