GNU bug report logs -
#44887
openssh service creates DSA keys
Previous Next
Reported by: Efraim Flashner <efraim <at> flashner.co.il>
Date: Thu, 26 Nov 2020 15:16:02 UTC
Severity: normal
Tags: security
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 44887 in the body.
You can then email your comments to 44887 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#44887
; Package
guix
.
(Thu, 26 Nov 2020 15:16:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Efraim Flashner <efraim <at> flashner.co.il>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Thu, 26 Nov 2020 15:16:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
In the interest of protecting users we should probably not create DCA
keys by default. That would leave us with RSA, ECDSA and ED25519.
--
Efraim Flashner <efraim <at> flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
Added tag(s) security.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org
.
(Thu, 03 Dec 2020 17:03:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#44887
; Package
guix
.
(Tue, 18 Jun 2024 19:30:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 44887 <at> debbugs.gnu.org (full text, mbox):
Hello,
I've done some digging on that issue. Hope it'll help.
It looks like the clients still support the DSA keys.
This is on a Void linux desktop:
[vince <at> destop ~]$ ssh -Q PubkeyAcceptedAlgorithms | grep -i dss
ssh-dss
ssh-dss-cert-v01 <at> openssh.com
The following Guix VM has been created 2 days ago, with a very light config
vince <at> guix ~$ ssh -Q PubkeyAcceptedAlgorithms | grep -i ssh-dss
ssh-dss
ssh-dss-cert-v01 <at> openssh.com
So, I created a DSA PKI key pair, like so:
ssh-keygen -N '' -t dsa -f ssh-key-dsa
Uploaded the public key to the guix VM, as ~vince/.ssh/authorized_keys
then tried to connect to the OpenSSH server on that VM
[vince <at> desktop ~]$ ssh -vi ssh-key-dsa vince <at> 10.0.0.101
OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
debug1: Reading configuration data /home/vince/.ssh/config
debug1: /home/vince/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.0.0.101 [10.0.0.101] port 22.
debug1: Connection established.
debug1: identity file ssh-key-dsa type 1
[...]
debug1: Skipping ssh-dss key ssh-key-dsa - corresponding algorithm not
in PubkeyAcceptedAlgorithms
debug1: No more authentication methods to try.
vince <at> 10.0.0.101: Permission denied (publickey).
So it looks like DSA client keys are not accepted any more by default.
Is there a problem for the server host key ?
vince <at> guix ~$ ls /etc/ssh/
authorized_keys.d/ ssh_host_ed25519_key ssh_host_rsa_key.pub
ssh_host_ecdsa_key ssh_host_ed25519_key.pub
ssh_host_ecdsa_key.pub ssh_host_rsa_key
No DSA keys here. Maybe something has been changed and they are not
created any more.
So I'm not sure there is a problem, or am I mistaken ?
Didn't I look hard enough ?
WDYT ?
Announce of DSA support removal from OpenSSH:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-January/041132.html
Some context about DSA keys:
https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys
--
Vincent Legoll
Information forwarded
to
bug-guix <at> gnu.org
:
bug#44887
; Package
guix
.
(Wed, 19 Jun 2024 12:04:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 44887 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Jun 18, 2024 at 07:28:35PM +0000, Vincent Legoll wrote:
> Hello,
>
> I've done some digging on that issue. Hope it'll help.
>
> It looks like the clients still support the DSA keys.
>
> This is on a Void linux desktop:
>
> [vince <at> destop ~]$ ssh -Q PubkeyAcceptedAlgorithms | grep -i dss
> ssh-dss
> ssh-dss-cert-v01 <at> openssh.com
>
> The following Guix VM has been created 2 days ago, with a very light config
>
> vince <at> guix ~$ ssh -Q PubkeyAcceptedAlgorithms | grep -i ssh-dss
> ssh-dss
> ssh-dss-cert-v01 <at> openssh.com
>
> So, I created a DSA PKI key pair, like so:
>
> ssh-keygen -N '' -t dsa -f ssh-key-dsa
>
> Uploaded the public key to the guix VM, as ~vince/.ssh/authorized_keys
> then tried to connect to the OpenSSH server on that VM
>
> [vince <at> desktop ~]$ ssh -vi ssh-key-dsa vince <at> 10.0.0.101
> OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
> debug1: Reading configuration data /home/vince/.ssh/config
> debug1: /home/vince/.ssh/config line 1: Applying options for *
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to 10.0.0.101 [10.0.0.101] port 22.
> debug1: Connection established.
> debug1: identity file ssh-key-dsa type 1
> [...]
> debug1: Skipping ssh-dss key ssh-key-dsa - corresponding algorithm not
> in PubkeyAcceptedAlgorithms
> debug1: No more authentication methods to try.
> vince <at> 10.0.0.101: Permission denied (publickey).
>
> So it looks like DSA client keys are not accepted any more by default.
>
> Is there a problem for the server host key ?
>
> vince <at> guix ~$ ls /etc/ssh/
> authorized_keys.d/ ssh_host_ed25519_key ssh_host_rsa_key.pub
> ssh_host_ecdsa_key ssh_host_ed25519_key.pub
> ssh_host_ecdsa_key.pub ssh_host_rsa_key
>
> No DSA keys here. Maybe something has been changed and they are not
> created any more.
>
> So I'm not sure there is a problem, or am I mistaken ?
> Didn't I look hard enough ?
>
> WDYT ?
>
> Announce of DSA support removal from OpenSSH:
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-January/041132.html
>
> Some context about DSA keys:
> https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys
It looks like openssh, at some point in the past <period-of-time>,
stopped creating host DSA keys by default. Given the original bug report
was that DSA keys were created by default and now they're not I think we
can close this bug now.
Any objections?
--
Efraim Flashner <efraim <at> flashner.co.il> רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#44887
; Package
guix
.
(Wed, 19 Jun 2024 17:21:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 44887 <at> debbugs.gnu.org (full text, mbox):
Hello,
> It looks like openssh, at some point in the past <period-of-time>,
> stopped creating host DSA keys by default. Given the original bug report
> was that DSA keys were created by default and now they're not I think we
> can close this bug now.
>
> Any objections?
This is also my opinion
--
Vincent Legoll
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
:
You have taken responsibility.
(Wed, 19 Jun 2024 20:12:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Efraim Flashner <efraim <at> flashner.co.il>
:
bug acknowledged by developer.
(Wed, 19 Jun 2024 20:12:02 GMT)
Full text and
rfc822 format available.
Message #21 received at 44887-done <at> debbugs.gnu.org (full text, mbox):
Hi,
Vincent Legoll <vincent.legoll <at> gmail.com> writes:
> Hello,
>
>> It looks like openssh, at some point in the past <period-of-time>,
>> stopped creating host DSA keys by default. Given the original bug report
>> was that DSA keys were created by default and now they're not I think we
>> can close this bug now.
>>
>> Any objections?
>
> This is also my opinion
Super, doing so. This is the best kind of resolution ;-).
--
Thanks,
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Thu, 18 Jul 2024 11:24:11 GMT)
Full text and
rfc822 format available.
This bug report was last modified 296 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.