GNU bug report logs - #44887
openssh service creates DSA keys

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 44887 in the body.
You can then email your comments to 44887 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: bug-guix <at> gnu.org
Subject: openssh service creates DSA keys
Date: Thu, 26 Nov 2020 17:14:03 +0200

[Message part 1 (text/plain, inline)]

In the interest of protecting users we should probably not create DCA
keys by default. That would leave us with RSA, ECDSA and ED25519.

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 44887 <at> debbugs.gnu.org (full text, mbox):

From: Vincent Legoll <vincent.legoll <at> gmail.com>
To: Efraim Flashner <efraim <at> flashner.co.il>,
 Ludovic Courtès <ludo <at> gnu.org>, 44887 <at> debbugs.gnu.org
Subject: openssh service creates DSA keys
Date: Tue, 18 Jun 2024 19:28:35 +0000

Hello,

I've done some digging on that issue. Hope it'll help.

It looks like the clients still support the DSA keys.

This is on a Void linux desktop:

[vince <at> destop ~]$ ssh -Q PubkeyAcceptedAlgorithms | grep -i dss
ssh-dss
ssh-dss-cert-v01 <at> openssh.com

The following Guix VM has been created 2 days ago, with a very light config

vince <at> guix ~$ ssh -Q PubkeyAcceptedAlgorithms | grep -i ssh-dss
ssh-dss
ssh-dss-cert-v01 <at> openssh.com

So, I created a DSA PKI key pair, like so:

ssh-keygen -N '' -t dsa -f ssh-key-dsa

Uploaded the public key to the guix VM, as ~vince/.ssh/authorized_keys
then tried to connect to the OpenSSH server on that VM

[vince <at> desktop ~]$ ssh -vi ssh-key-dsa vince <at> 10.0.0.101
OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
debug1: Reading configuration data /home/vince/.ssh/config
debug1: /home/vince/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.0.0.101 [10.0.0.101] port 22.
debug1: Connection established.
debug1: identity file ssh-key-dsa type 1
[...]
debug1: Skipping ssh-dss key ssh-key-dsa - corresponding algorithm not
in PubkeyAcceptedAlgorithms
debug1: No more authentication methods to try.
vince <at> 10.0.0.101: Permission denied (publickey).

So it looks like DSA client keys are not accepted any more by default.

Is there a problem for the server host key ?

vince <at> guix ~$ ls /etc/ssh/
authorized_keys.d/      ssh_host_ed25519_key      ssh_host_rsa_key.pub
ssh_host_ecdsa_key      ssh_host_ed25519_key.pub
ssh_host_ecdsa_key.pub  ssh_host_rsa_key

No DSA keys here. Maybe something has been changed and they are not
created any more.

So I'm not sure there is a problem, or am I mistaken ?
Didn't I look hard enough ?

WDYT ?

Announce of DSA support removal from OpenSSH:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-January/041132.html

Some context about DSA keys:
https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys

-- 
Vincent Legoll

Message #13 received at 44887 <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Vincent Legoll <vincent.legoll <at> gmail.com>
Cc: 44887 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>
Subject: Re: openssh service creates DSA keys
Date: Wed, 19 Jun 2024 15:02:04 +0300

[Message part 1 (text/plain, inline)]

On Tue, Jun 18, 2024 at 07:28:35PM +0000, Vincent Legoll wrote:
> Hello,
> 
> I've done some digging on that issue. Hope it'll help.
> 
> It looks like the clients still support the DSA keys.
> 
> This is on a Void linux desktop:
> 
> [vince <at> destop ~]$ ssh -Q PubkeyAcceptedAlgorithms | grep -i dss
> ssh-dss
> ssh-dss-cert-v01 <at> openssh.com
> 
> The following Guix VM has been created 2 days ago, with a very light config
> 
> vince <at> guix ~$ ssh -Q PubkeyAcceptedAlgorithms | grep -i ssh-dss
> ssh-dss
> ssh-dss-cert-v01 <at> openssh.com
> 
> So, I created a DSA PKI key pair, like so:
> 
> ssh-keygen -N '' -t dsa -f ssh-key-dsa
> 
> Uploaded the public key to the guix VM, as ~vince/.ssh/authorized_keys
> then tried to connect to the OpenSSH server on that VM
> 
> [vince <at> desktop ~]$ ssh -vi ssh-key-dsa vince <at> 10.0.0.101
> OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
> debug1: Reading configuration data /home/vince/.ssh/config
> debug1: /home/vince/.ssh/config line 1: Applying options for *
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to 10.0.0.101 [10.0.0.101] port 22.
> debug1: Connection established.
> debug1: identity file ssh-key-dsa type 1
> [...]
> debug1: Skipping ssh-dss key ssh-key-dsa - corresponding algorithm not
> in PubkeyAcceptedAlgorithms
> debug1: No more authentication methods to try.
> vince <at> 10.0.0.101: Permission denied (publickey).
> 
> So it looks like DSA client keys are not accepted any more by default.
> 
> Is there a problem for the server host key ?
> 
> vince <at> guix ~$ ls /etc/ssh/
> authorized_keys.d/      ssh_host_ed25519_key      ssh_host_rsa_key.pub
> ssh_host_ecdsa_key      ssh_host_ed25519_key.pub
> ssh_host_ecdsa_key.pub  ssh_host_rsa_key
> 
> No DSA keys here. Maybe something has been changed and they are not
> created any more.
> 
> So I'm not sure there is a problem, or am I mistaken ?
> Didn't I look hard enough ?
> 
> WDYT ?
> 
> Announce of DSA support removal from OpenSSH:
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-January/041132.html
> 
> Some context about DSA keys:
> https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys

It looks like openssh, at some point in the past <period-of-time>,
stopped creating host DSA keys by default. Given the original bug report
was that DSA keys were created by default and now they're not I think we
can close this bug now.

Any objections?

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]

Message #16 received at 44887 <at> debbugs.gnu.org (full text, mbox):

From: Vincent Legoll <vincent.legoll <at> gmail.com>
To: Efraim Flashner <efraim <at> flashner.co.il>,
 Vincent Legoll <vincent.legoll <at> gmail.com>, 
 Ludovic Courtès <ludo <at> gnu.org>, 44887 <at> debbugs.gnu.org
Subject: Re: openssh service creates DSA keys
Date: Wed, 19 Jun 2024 17:18:42 +0000

Hello,

> It looks like openssh, at some point in the past <period-of-time>,
> stopped creating host DSA keys by default. Given the original bug report
> was that DSA keys were created by default and now they're not I think we
> can close this bug now.
>
> Any objections?

This is also my opinion

-- 
Vincent Legoll

Message #21 received at 44887-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Vincent Legoll <vincent.legoll <at> gmail.com>
Cc: 44887-done <at> debbugs.gnu.org,
 Ludovic Courtès <ludo <at> gnu.org>,
 Efraim Flashner <efraim <at> flashner.co.il>
Subject: Re: bug#44887: openssh service creates DSA keys
Date: Wed, 19 Jun 2024 16:10:39 -0400

Hi,

Vincent Legoll <vincent.legoll <at> gmail.com> writes:

> Hello,
>
>> It looks like openssh, at some point in the past <period-of-time>,
>> stopped creating host DSA keys by default. Given the original bug report
>> was that DSA keys were created by default and now they're not I think we
>> can close this bug now.
>>
>> Any objections?
>
> This is also my opinion

Super, doing so.  This is the best kind of resolution ;-).

-- 
Thanks,
Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.