* bug#44887: openssh service creates DSA keys
@ 2020-11-26 15:14 Efraim Flashner
2024-06-18 19:28 ` Vincent Legoll
0 siblings, 1 reply; 5+ messages in thread
From: Efraim Flashner @ 2020-11-26 15:14 UTC (permalink / raw)
To: 44887
[-- Attachment #1: Type: text/plain, Size: 351 bytes --]
In the interest of protecting users we should probably not create DCA
keys by default. That would leave us with RSA, ECDSA and ED25519.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#44887: openssh service creates DSA keys
2020-11-26 15:14 bug#44887: openssh service creates DSA keys Efraim Flashner
@ 2024-06-18 19:28 ` Vincent Legoll
2024-06-19 12:02 ` Efraim Flashner
0 siblings, 1 reply; 5+ messages in thread
From: Vincent Legoll @ 2024-06-18 19:28 UTC (permalink / raw)
To: Efraim Flashner, Ludovic Courtès, 44887
Hello,
I've done some digging on that issue. Hope it'll help.
It looks like the clients still support the DSA keys.
This is on a Void linux desktop:
[vince@destop ~]$ ssh -Q PubkeyAcceptedAlgorithms | grep -i dss
ssh-dss
ssh-dss-cert-v01@openssh.com
The following Guix VM has been created 2 days ago, with a very light config
vince@guix ~$ ssh -Q PubkeyAcceptedAlgorithms | grep -i ssh-dss
ssh-dss
ssh-dss-cert-v01@openssh.com
So, I created a DSA PKI key pair, like so:
ssh-keygen -N '' -t dsa -f ssh-key-dsa
Uploaded the public key to the guix VM, as ~vince/.ssh/authorized_keys
then tried to connect to the OpenSSH server on that VM
[vince@desktop ~]$ ssh -vi ssh-key-dsa vince@10.0.0.101
OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
debug1: Reading configuration data /home/vince/.ssh/config
debug1: /home/vince/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.0.0.101 [10.0.0.101] port 22.
debug1: Connection established.
debug1: identity file ssh-key-dsa type 1
[...]
debug1: Skipping ssh-dss key ssh-key-dsa - corresponding algorithm not
in PubkeyAcceptedAlgorithms
debug1: No more authentication methods to try.
vince@10.0.0.101: Permission denied (publickey).
So it looks like DSA client keys are not accepted any more by default.
Is there a problem for the server host key ?
vince@guix ~$ ls /etc/ssh/
authorized_keys.d/ ssh_host_ed25519_key ssh_host_rsa_key.pub
ssh_host_ecdsa_key ssh_host_ed25519_key.pub
ssh_host_ecdsa_key.pub ssh_host_rsa_key
No DSA keys here. Maybe something has been changed and they are not
created any more.
So I'm not sure there is a problem, or am I mistaken ?
Didn't I look hard enough ?
WDYT ?
Announce of DSA support removal from OpenSSH:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-January/041132.html
Some context about DSA keys:
https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys
--
Vincent Legoll
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#44887: openssh service creates DSA keys
2024-06-18 19:28 ` Vincent Legoll
@ 2024-06-19 12:02 ` Efraim Flashner
2024-06-19 17:18 ` Vincent Legoll
0 siblings, 1 reply; 5+ messages in thread
From: Efraim Flashner @ 2024-06-19 12:02 UTC (permalink / raw)
To: Vincent Legoll; +Cc: 44887, Ludovic Courtès
[-- Attachment #1: Type: text/plain, Size: 2695 bytes --]
On Tue, Jun 18, 2024 at 07:28:35PM +0000, Vincent Legoll wrote:
> Hello,
>
> I've done some digging on that issue. Hope it'll help.
>
> It looks like the clients still support the DSA keys.
>
> This is on a Void linux desktop:
>
> [vince@destop ~]$ ssh -Q PubkeyAcceptedAlgorithms | grep -i dss
> ssh-dss
> ssh-dss-cert-v01@openssh.com
>
> The following Guix VM has been created 2 days ago, with a very light config
>
> vince@guix ~$ ssh -Q PubkeyAcceptedAlgorithms | grep -i ssh-dss
> ssh-dss
> ssh-dss-cert-v01@openssh.com
>
> So, I created a DSA PKI key pair, like so:
>
> ssh-keygen -N '' -t dsa -f ssh-key-dsa
>
> Uploaded the public key to the guix VM, as ~vince/.ssh/authorized_keys
> then tried to connect to the OpenSSH server on that VM
>
> [vince@desktop ~]$ ssh -vi ssh-key-dsa vince@10.0.0.101
> OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
> debug1: Reading configuration data /home/vince/.ssh/config
> debug1: /home/vince/.ssh/config line 1: Applying options for *
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to 10.0.0.101 [10.0.0.101] port 22.
> debug1: Connection established.
> debug1: identity file ssh-key-dsa type 1
> [...]
> debug1: Skipping ssh-dss key ssh-key-dsa - corresponding algorithm not
> in PubkeyAcceptedAlgorithms
> debug1: No more authentication methods to try.
> vince@10.0.0.101: Permission denied (publickey).
>
> So it looks like DSA client keys are not accepted any more by default.
>
> Is there a problem for the server host key ?
>
> vince@guix ~$ ls /etc/ssh/
> authorized_keys.d/ ssh_host_ed25519_key ssh_host_rsa_key.pub
> ssh_host_ecdsa_key ssh_host_ed25519_key.pub
> ssh_host_ecdsa_key.pub ssh_host_rsa_key
>
> No DSA keys here. Maybe something has been changed and they are not
> created any more.
>
> So I'm not sure there is a problem, or am I mistaken ?
> Didn't I look hard enough ?
>
> WDYT ?
>
> Announce of DSA support removal from OpenSSH:
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-January/041132.html
>
> Some context about DSA keys:
> https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys
It looks like openssh, at some point in the past <period-of-time>,
stopped creating host DSA keys by default. Given the original bug report
was that DSA keys were created by default and now they're not I think we
can close this bug now.
Any objections?
--
Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#44887: openssh service creates DSA keys
2024-06-19 12:02 ` Efraim Flashner
@ 2024-06-19 17:18 ` Vincent Legoll
2024-06-19 20:10 ` Maxim Cournoyer
0 siblings, 1 reply; 5+ messages in thread
From: Vincent Legoll @ 2024-06-19 17:18 UTC (permalink / raw)
To: Efraim Flashner, Vincent Legoll, Ludovic Courtès, 44887
Hello,
> It looks like openssh, at some point in the past <period-of-time>,
> stopped creating host DSA keys by default. Given the original bug report
> was that DSA keys were created by default and now they're not I think we
> can close this bug now.
>
> Any objections?
This is also my opinion
--
Vincent Legoll
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#44887: openssh service creates DSA keys
2024-06-19 17:18 ` Vincent Legoll
@ 2024-06-19 20:10 ` Maxim Cournoyer
0 siblings, 0 replies; 5+ messages in thread
From: Maxim Cournoyer @ 2024-06-19 20:10 UTC (permalink / raw)
To: Vincent Legoll; +Cc: 44887-done, Ludovic Courtès, Efraim Flashner
Hi,
Vincent Legoll <vincent.legoll@gmail.com> writes:
> Hello,
>
>> It looks like openssh, at some point in the past <period-of-time>,
>> stopped creating host DSA keys by default. Given the original bug report
>> was that DSA keys were created by default and now they're not I think we
>> can close this bug now.
>>
>> Any objections?
>
> This is also my opinion
Super, doing so. This is the best kind of resolution ;-).
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-06-19 20:12 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-11-26 15:14 bug#44887: openssh service creates DSA keys Efraim Flashner
2024-06-18 19:28 ` Vincent Legoll
2024-06-19 12:02 ` Efraim Flashner
2024-06-19 17:18 ` Vincent Legoll
2024-06-19 20:10 ` Maxim Cournoyer
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.