GNU bug report logs - #44887
openssh service creates DSA keys

Previous Next

Full log

Message #13 received at 44887 <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Vincent Legoll <vincent.legoll <at> gmail.com>
Cc: 44887 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>
Subject: Re: openssh service creates DSA keys
Date: Wed, 19 Jun 2024 15:02:04 +0300

[Message part 1 (text/plain, inline)]

On Tue, Jun 18, 2024 at 07:28:35PM +0000, Vincent Legoll wrote:
> Hello,
> 
> I've done some digging on that issue. Hope it'll help.
> 
> It looks like the clients still support the DSA keys.
> 
> This is on a Void linux desktop:
> 
> [vince <at> destop ~]$ ssh -Q PubkeyAcceptedAlgorithms | grep -i dss
> ssh-dss
> ssh-dss-cert-v01 <at> openssh.com
> 
> The following Guix VM has been created 2 days ago, with a very light config
> 
> vince <at> guix ~$ ssh -Q PubkeyAcceptedAlgorithms | grep -i ssh-dss
> ssh-dss
> ssh-dss-cert-v01 <at> openssh.com
> 
> So, I created a DSA PKI key pair, like so:
> 
> ssh-keygen -N '' -t dsa -f ssh-key-dsa
> 
> Uploaded the public key to the guix VM, as ~vince/.ssh/authorized_keys
> then tried to connect to the OpenSSH server on that VM
> 
> [vince <at> desktop ~]$ ssh -vi ssh-key-dsa vince <at> 10.0.0.101
> OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
> debug1: Reading configuration data /home/vince/.ssh/config
> debug1: /home/vince/.ssh/config line 1: Applying options for *
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to 10.0.0.101 [10.0.0.101] port 22.
> debug1: Connection established.
> debug1: identity file ssh-key-dsa type 1
> [...]
> debug1: Skipping ssh-dss key ssh-key-dsa - corresponding algorithm not
> in PubkeyAcceptedAlgorithms
> debug1: No more authentication methods to try.
> vince <at> 10.0.0.101: Permission denied (publickey).
> 
> So it looks like DSA client keys are not accepted any more by default.
> 
> Is there a problem for the server host key ?
> 
> vince <at> guix ~$ ls /etc/ssh/
> authorized_keys.d/      ssh_host_ed25519_key      ssh_host_rsa_key.pub
> ssh_host_ecdsa_key      ssh_host_ed25519_key.pub
> ssh_host_ecdsa_key.pub  ssh_host_rsa_key
> 
> No DSA keys here. Maybe something has been changed and they are not
> created any more.
> 
> So I'm not sure there is a problem, or am I mistaken ?
> Didn't I look hard enough ?
> 
> WDYT ?
> 
> Announce of DSA support removal from OpenSSH:
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-January/041132.html
> 
> Some context about DSA keys:
> https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys

It looks like openssh, at some point in the past <period-of-time>,
stopped creating host DSA keys by default. Given the original bug report
was that DSA keys were created by default and now they're not I think we
can close this bug now.

Any objections?

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.