On Tue, Jun 18, 2024 at 07:28:35PM +0000, Vincent Legoll wrote: > Hello, > > I've done some digging on that issue. Hope it'll help. > > It looks like the clients still support the DSA keys. > > This is on a Void linux desktop: > > [vince@destop ~]$ ssh -Q PubkeyAcceptedAlgorithms | grep -i dss > ssh-dss > ssh-dss-cert-v01@openssh.com > > The following Guix VM has been created 2 days ago, with a very light config > > vince@guix ~$ ssh -Q PubkeyAcceptedAlgorithms | grep -i ssh-dss > ssh-dss > ssh-dss-cert-v01@openssh.com > > So, I created a DSA PKI key pair, like so: > > ssh-keygen -N '' -t dsa -f ssh-key-dsa > > Uploaded the public key to the guix VM, as ~vince/.ssh/authorized_keys > then tried to connect to the OpenSSH server on that VM > > [vince@desktop ~]$ ssh -vi ssh-key-dsa vince@10.0.0.101 > OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024 > debug1: Reading configuration data /home/vince/.ssh/config > debug1: /home/vince/.ssh/config line 1: Applying options for * > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Connecting to 10.0.0.101 [10.0.0.101] port 22. > debug1: Connection established. > debug1: identity file ssh-key-dsa type 1 > [...] > debug1: Skipping ssh-dss key ssh-key-dsa - corresponding algorithm not > in PubkeyAcceptedAlgorithms > debug1: No more authentication methods to try. > vince@10.0.0.101: Permission denied (publickey). > > So it looks like DSA client keys are not accepted any more by default. > > Is there a problem for the server host key ? > > vince@guix ~$ ls /etc/ssh/ > authorized_keys.d/ ssh_host_ed25519_key ssh_host_rsa_key.pub > ssh_host_ecdsa_key ssh_host_ed25519_key.pub > ssh_host_ecdsa_key.pub ssh_host_rsa_key > > No DSA keys here. Maybe something has been changed and they are not > created any more. > > So I'm not sure there is a problem, or am I mistaken ? > Didn't I look hard enough ? > > WDYT ? > > Announce of DSA support removal from OpenSSH: > https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-January/041132.html > > Some context about DSA keys: > https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys It looks like openssh, at some point in the past , stopped creating host DSA keys by default. Given the original bug report was that DSA keys were created by default and now they're not I think we can close this bug now. Any objections? -- Efraim Flashner רנשלפ םירפא GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted