Merge pull request #122469 from cockroachdb/blathers/backport-release…

…-24.1-122448 release-24.1: roachprod: do not use ssh-rsa
cockroachdb · Apr 19, 2024 · 12af023 · 12af023
2 parents 7c2acd2 + d65cde4
commit 12af023
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/pkg/roachprod/vm/gce/utils.go b/pkg/roachprod/vm/gce/utils.go
@@ -160,7 +160,10 @@ sudo sh -c 'echo "MaxStartups 64:30:128" >> /etc/ssh/sshd_config'
 # Crank up the logging for issues such as:
 # https://github.com/cockroachdb/cockroach/issues/36929
 sudo sed -i'' 's/LogLevel.*$/LogLevel DEBUG3/' /etc/ssh/sshd_config
+# FIPS is still on Ubuntu 20.04 however, so don't enable if using FIPS.
+{{ if not .EnableFIPS }}
 sudo sh -c 'echo "PubkeyAcceptedAlgorithms +ssh-rsa" >> /etc/ssh/sshd_config'
+{{ end }}
 sudo service sshd restart
 # increase the default maximum number of open file descriptors for
 # root and non-root users. Load generators running a lot of concurrent
@@ -170,8 +173,10 @@ sudo sh -c 'echo "root - nofile 1048576\n* - nofile 1048576" > /etc/security/lim
 # N.B. Ubuntu 22.04 changed the location of tcpdump to /usr/bin. Since existing tooling, e.g.,
 # jepsen uses /usr/sbin, we create a symlink.
 # See https://ubuntu.pkgs.org/22.04/ubuntu-main-amd64/tcpdump_4.99.1-3build2_amd64.deb.html
-#
+# FIPS is still on Ubuntu 20.04 however, so don't create if using FIPS.
+{{ if not .EnableFIPS }}
 sudo ln -s /usr/bin/tcpdump /usr/sbin/tcpdump
+{{ end }}
 
 # Send TCP keepalives every minute since GCE will terminate idle connections
 # after 10m. Note that keepalives still need to be requested by the application