From: Vincent Legoll <vincent.legoll@gmail.com>
To: "Efraim Flashner" <efraim@flashner.co.il>,
"Ludovic Courtès" <ludo@gnu.org>,
44887@debbugs.gnu.org
Subject: bug#44887: openssh service creates DSA keys
Date: Tue, 18 Jun 2024 19:28:35 +0000 [thread overview]
Message-ID: <CAEwRq=rU2wD7ZzcjnTJ0+1DAP6TVE+aytqCKxCbLg0KRjnqn9Q@mail.gmail.com> (raw)
In-Reply-To: <X7/GO+ALqt1y1ji6@E5400>
Hello,
I've done some digging on that issue. Hope it'll help.
It looks like the clients still support the DSA keys.
This is on a Void linux desktop:
[vince@destop ~]$ ssh -Q PubkeyAcceptedAlgorithms | grep -i dss
ssh-dss
ssh-dss-cert-v01@openssh.com
The following Guix VM has been created 2 days ago, with a very light config
vince@guix ~$ ssh -Q PubkeyAcceptedAlgorithms | grep -i ssh-dss
ssh-dss
ssh-dss-cert-v01@openssh.com
So, I created a DSA PKI key pair, like so:
ssh-keygen -N '' -t dsa -f ssh-key-dsa
Uploaded the public key to the guix VM, as ~vince/.ssh/authorized_keys
then tried to connect to the OpenSSH server on that VM
[vince@desktop ~]$ ssh -vi ssh-key-dsa vince@10.0.0.101
OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
debug1: Reading configuration data /home/vince/.ssh/config
debug1: /home/vince/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.0.0.101 [10.0.0.101] port 22.
debug1: Connection established.
debug1: identity file ssh-key-dsa type 1
[...]
debug1: Skipping ssh-dss key ssh-key-dsa - corresponding algorithm not
in PubkeyAcceptedAlgorithms
debug1: No more authentication methods to try.
vince@10.0.0.101: Permission denied (publickey).
So it looks like DSA client keys are not accepted any more by default.
Is there a problem for the server host key ?
vince@guix ~$ ls /etc/ssh/
authorized_keys.d/ ssh_host_ed25519_key ssh_host_rsa_key.pub
ssh_host_ecdsa_key ssh_host_ed25519_key.pub
ssh_host_ecdsa_key.pub ssh_host_rsa_key
No DSA keys here. Maybe something has been changed and they are not
created any more.
So I'm not sure there is a problem, or am I mistaken ?
Didn't I look hard enough ?
WDYT ?
Announce of DSA support removal from OpenSSH:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-January/041132.html
Some context about DSA keys:
https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys
--
Vincent Legoll
next prev parent reply other threads:[~2024-06-18 19:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-26 15:14 bug#44887: openssh service creates DSA keys Efraim Flashner
2024-06-18 19:28 ` Vincent Legoll [this message]
2024-06-19 12:02 ` Efraim Flashner
2024-06-19 17:18 ` Vincent Legoll
2024-06-19 20:10 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEwRq=rU2wD7ZzcjnTJ0+1DAP6TVE+aytqCKxCbLg0KRjnqn9Q@mail.gmail.com' \
--to=vincent.legoll@gmail.com \
--cc=44887@debbugs.gnu.org \
--cc=efraim@flashner.co.il \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).