openssh service creates DSA keys

  • Done
  • quality assurance status badge
Details
4 participants
  • Efraim Flashner
  • Ludovic Courtès
  • Maxim Cournoyer
  • Vincent Legoll
Owner
unassigned
Submitted by
Efraim Flashner
Severity
normal
E
E
Efraim Flashner wrote on 26 Nov 2020 16:14
(address . bug-guix@gnu.org)
X7/GO+ALqt1y1ji6@E5400
In the interest of protecting users we should probably not create DCA
keys by default. That would leave us with RSA, ECDSA and ED25519.

--
Efraim Flashner <efraim@flashner.co.il> ????? ?????
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl+/xjgACgkQQarn3Mo9
g1Hepg//akfIWw41xpYb7EvjjY8Wff4xLPwWOEKsDaISDJJx/PMW2l0rULlXYlP/
goUfP+tqM71sBSfqZRH5ccJOeOtiZ0wZo/s9NEEHu89be/YEJB8thybizmLGCjdA
CFrFJ60JZInOGb66u7uGzMp/7cLt/VxeuyneOU+cdBKv+E3n25/XsOOo+hkEEQ2m
rxpSOG9rEQPNaMMlUv15H0hTdbFyrspbFcwHZ6/5+BfyKVyj66ghla2/n/bG+5jy
JRwNviDv4x92b7g6iPFfhI0Ak6C7OOv2CR82TfhfqEJXZJt2oGEyZB8uaJPHgklJ
pO/ScWxIk5PJ2ITkFEB4MQ18lEB4xRJ42BbxrvfeXQJrdsGlb+TNB51tdW4pcVdD
GCtXWj0tQ2vU4DYIt6jG5HOilNj12Ez6VDzZy5V1qtCbjDsA5lkiZJ81sR254Ivc
zsmF4nga64lDPRqQhLJkicn4KScVJ0mRhEW98O4cqC9O2tEWv5ywsyOPjyhXv3na
JmR+TcJfEEWCgAOE/1edvzaCRT4uO/B1iD1FTLZxq5w4H2fuGa8G5PNLKs9zpI/P
9Ru3kWwwo5bOZOij69MTNwVZIEMxGn80+E7GI5nQGL0mItTS0gVnbq8tGZYaVNyG
1/RmjqNSfW8b/W7Kee2DamJGuOsbSltGMwyat/GHNUS/VG6v9xA=
=+zFL
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 3 Dec 2020 18:02
control message for bug #44887
(address . control@debbugs.gnu.org)
87ft4mddri.fsf@gnu.org
tags 44887 + security
quit
V
V
Vincent Legoll wrote on 18 Jun 21:28 +0200
openssh service creates DSA keys
CAEwRq=rU2wD7ZzcjnTJ0+1DAP6TVE+aytqCKxCbLg0KRjnqn9Q@mail.gmail.com
Hello,

I've done some digging on that issue. Hope it'll help.

It looks like the clients still support the DSA keys.

This is on a Void linux desktop:

[vince@destop ~]$ ssh -Q PubkeyAcceptedAlgorithms | grep -i dss
ssh-dss
ssh-dss-cert-v01@openssh.com

The following Guix VM has been created 2 days ago, with a very light config

vince@guix ~$ ssh -Q PubkeyAcceptedAlgorithms | grep -i ssh-dss
ssh-dss
ssh-dss-cert-v01@openssh.com

So, I created a DSA PKI key pair, like so:

ssh-keygen -N '' -t dsa -f ssh-key-dsa

Uploaded the public key to the guix VM, as ~vince/.ssh/authorized_keys
then tried to connect to the OpenSSH server on that VM

[vince@desktop ~]$ ssh -vi ssh-key-dsa vince@10.0.0.101
OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
debug1: Reading configuration data /home/vince/.ssh/config
debug1: /home/vince/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.0.0.101 [10.0.0.101] port 22.
debug1: Connection established.
debug1: identity file ssh-key-dsa type 1
[...]
debug1: Skipping ssh-dss key ssh-key-dsa - corresponding algorithm not
in PubkeyAcceptedAlgorithms
debug1: No more authentication methods to try.
vince@10.0.0.101: Permission denied (publickey).

So it looks like DSA client keys are not accepted any more by default.

Is there a problem for the server host key ?

vince@guix ~$ ls /etc/ssh/
authorized_keys.d/ ssh_host_ed25519_key ssh_host_rsa_key.pub
ssh_host_ecdsa_key ssh_host_ed25519_key.pub
ssh_host_ecdsa_key.pub ssh_host_rsa_key

No DSA keys here. Maybe something has been changed and they are not
created any more.

So I'm not sure there is a problem, or am I mistaken ?
Didn't I look hard enough ?

WDYT ?

Announce of DSA support removal from OpenSSH:

Some context about DSA keys:

--
Vincent Legoll
E
E
Efraim Flashner wrote on 19 Jun 14:02 +0200
(name . Vincent Legoll)(address . vincent.legoll@gmail.com)
ZnLIvD7i4_SGsjB7@3900XT
On Tue, Jun 18, 2024 at 07:28:35PM +0000, Vincent Legoll wrote:
Toggle quote (62 lines)
> Hello,
>
> I've done some digging on that issue. Hope it'll help.
>
> It looks like the clients still support the DSA keys.
>
> This is on a Void linux desktop:
>
> [vince@destop ~]$ ssh -Q PubkeyAcceptedAlgorithms | grep -i dss
> ssh-dss
> ssh-dss-cert-v01@openssh.com
>
> The following Guix VM has been created 2 days ago, with a very light config
>
> vince@guix ~$ ssh -Q PubkeyAcceptedAlgorithms | grep -i ssh-dss
> ssh-dss
> ssh-dss-cert-v01@openssh.com
>
> So, I created a DSA PKI key pair, like so:
>
> ssh-keygen -N '' -t dsa -f ssh-key-dsa
>
> Uploaded the public key to the guix VM, as ~vince/.ssh/authorized_keys
> then tried to connect to the OpenSSH server on that VM
>
> [vince@desktop ~]$ ssh -vi ssh-key-dsa vince@10.0.0.101
> OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
> debug1: Reading configuration data /home/vince/.ssh/config
> debug1: /home/vince/.ssh/config line 1: Applying options for *
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to 10.0.0.101 [10.0.0.101] port 22.
> debug1: Connection established.
> debug1: identity file ssh-key-dsa type 1
> [...]
> debug1: Skipping ssh-dss key ssh-key-dsa - corresponding algorithm not
> in PubkeyAcceptedAlgorithms
> debug1: No more authentication methods to try.
> vince@10.0.0.101: Permission denied (publickey).
>
> So it looks like DSA client keys are not accepted any more by default.
>
> Is there a problem for the server host key ?
>
> vince@guix ~$ ls /etc/ssh/
> authorized_keys.d/ ssh_host_ed25519_key ssh_host_rsa_key.pub
> ssh_host_ecdsa_key ssh_host_ed25519_key.pub
> ssh_host_ecdsa_key.pub ssh_host_rsa_key
>
> No DSA keys here. Maybe something has been changed and they are not
> created any more.
>
> So I'm not sure there is a problem, or am I mistaken ?
> Didn't I look hard enough ?
>
> WDYT ?
>
> Announce of DSA support removal from OpenSSH:
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-January/041132.html
>
> Some context about DSA keys:
> https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys

It looks like openssh, at some point in the past <period-of-time>,
stopped creating host DSA keys by default. Given the original bug report
was that DSA keys were created by default and now they're not I think we
can close this bug now.

Any objections?

--
Efraim Flashner <efraim@flashner.co.il> ????? ?????
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmZyyLgACgkQQarn3Mo9
g1HAVw//e74dSkveKI8jFVW7jy/y+ALuow8i+hkJolwAm1dAILJ0j3M5Z21KDP9+
YDCEUNqJkvKS0Tmq88kEYuDJGpuBXRQi3TdKpS1wyNUKtqaInSibtMjF+OdcZSYA
K9n+vKTy4WnH7rAYPigXd0a8iBbdUM5rWi9ILkEfDGex23mGOpOz+eyvTIRopxUx
E1jik7E1U/mDEDk1jVRe56WyYElFJgXznDO7/Ou/v2zyAIm9U6iNnQd0BLLHW7V0
w8vBTvBwZuiXjT4973wPBRjBB8IpGH6RYkQHoulPfFGkWVC1l2r836pJt6ZkzVsE
wLAixKX8UnIOaFNS3UDsE1pSepkTPyfH3vCSs9NubgwmrIURO2EKyJV4g8LM6PiJ
umNRhCyaeT+R5tEeQ4QIziU1+7avihp5nqNxFRzAGD6MLM42xcL1G50f6qLa/1sz
shiFe55j/AdbJgOrnnLEk8YglVkhaHPNgMubccYUobsej7i8cJsZN+fiJWoIp1Gr
rJg5qwqKT+VPNjxoP+DOI06786ua8uExaGXcz26DxsTiHfbojTch3AesRAXDHTxM
81EgJi21Yj1kqghfrcXMA8cas7gvq5BpGLOgGtb5cwQKAAqBVyERq2HYnJFJzrHq
nHo1YQChDBxLhTOu8FBf0IXDCgPjg7O+Q7G/zK/yKweZVq4pSfE=
=Udz6
-----END PGP SIGNATURE-----


V
V
Vincent Legoll wrote on 19 Jun 19:18 +0200
CAEwRq=oUJNs1g+LqnysLz8C4qq0b8z+Z8ANyY011pbZxvyF-_A@mail.gmail.com
Hello,

Toggle quote (7 lines)
> It looks like openssh, at some point in the past <period-of-time>,
> stopped creating host DSA keys by default. Given the original bug report
> was that DSA keys were created by default and now they're not I think we
> can close this bug now.
>
> Any objections?

This is also my opinion

--
Vincent Legoll
M
M
Maxim Cournoyer wrote on 19 Jun 22:10 +0200
Re: bug#44887: openssh service creates DSA keys
(name . Vincent Legoll)(address . vincent.legoll@gmail.com)
878qz0d77k.fsf@gmail.com
Hi,

Vincent Legoll <vincent.legoll@gmail.com> writes:

Toggle quote (11 lines)
> Hello,
>
>> It looks like openssh, at some point in the past <period-of-time>,
>> stopped creating host DSA keys by default. Given the original bug report
>> was that DSA keys were created by default and now they're not I think we
>> can close this bug now.
>>
>> Any objections?
>
> This is also my opinion

Super, doing so. This is the best kind of resolution ;-).

--
Thanks,
Maxim
Closed
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 44887@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 44887
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch