GNU bug report logs - #44887
openssh service creates DSA keys

Previous Next

Package: guix;

Reported by: Efraim Flashner <efraim <at> flashner.co.il>

Date: Thu, 26 Nov 2020 15:16:02 UTC

Severity: normal

Tags: security

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Vincent Legoll <vincent.legoll <at> gmail.com>
To: Efraim Flashner <efraim <at> flashner.co.il>, Ludovic Courtès <ludo <at> gnu.org>, 44887 <at> debbugs.gnu.org
Subject: bug#44887: openssh service creates DSA keys
Date: Tue, 18 Jun 2024 19:28:35 +0000

Hello,

I've done some digging on that issue. Hope it'll help.

It looks like the clients still support the DSA keys.

This is on a Void linux desktop:

[vince <at> destop ~]$ ssh -Q PubkeyAcceptedAlgorithms | grep -i dss
ssh-dss
ssh-dss-cert-v01 <at> openssh.com

The following Guix VM has been created 2 days ago, with a very light config

vince <at> guix ~$ ssh -Q PubkeyAcceptedAlgorithms | grep -i ssh-dss
ssh-dss
ssh-dss-cert-v01 <at> openssh.com

So, I created a DSA PKI key pair, like so:

ssh-keygen -N '' -t dsa -f ssh-key-dsa

Uploaded the public key to the guix VM, as ~vince/.ssh/authorized_keys
then tried to connect to the OpenSSH server on that VM

[vince <at> desktop ~]$ ssh -vi ssh-key-dsa vince <at> 10.0.0.101
OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
debug1: Reading configuration data /home/vince/.ssh/config
debug1: /home/vince/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.0.0.101 [10.0.0.101] port 22.
debug1: Connection established.
debug1: identity file ssh-key-dsa type 1
[...]
debug1: Skipping ssh-dss key ssh-key-dsa - corresponding algorithm not
in PubkeyAcceptedAlgorithms
debug1: No more authentication methods to try.
vince <at> 10.0.0.101: Permission denied (publickey).

So it looks like DSA client keys are not accepted any more by default.

Is there a problem for the server host key ?

vince <at> guix ~$ ls /etc/ssh/
authorized_keys.d/      ssh_host_ed25519_key      ssh_host_rsa_key.pub
ssh_host_ecdsa_key      ssh_host_ed25519_key.pub
ssh_host_ecdsa_key.pub  ssh_host_rsa_key

No DSA keys here. Maybe something has been changed and they are not
created any more.

So I'm not sure there is a problem, or am I mistaken ?
Didn't I look hard enough ?

WDYT ?

Announce of DSA support removal from OpenSSH:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-January/041132.html

Some context about DSA keys:
https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys

-- 
Vincent Legoll
This bug report was last modified 1 year and 28 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.