#44887 - openssh service creates DSA keys

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Message #10 received at 44887@debbugs.gnu.org (full text, mbox, reply):

Received: (at 44887) by debbugs.gnu.org; 18 Jun 2024 19:29:58 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 18 15:29:58 2024
Received: from localhost ([127.0.0.1]:49478 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1sJeWj-0005yf-LS
	for submit@debbugs.gnu.org; Tue, 18 Jun 2024 15:29:58 -0400
Received: from mail-pj1-f50.google.com ([209.85.216.50]:54424)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <vincent.legoll@gmail.com>) id 1sJeWh-0005yI-ET
 for 44887@debbugs.gnu.org; Tue, 18 Jun 2024 15:29:56 -0400
Received: by mail-pj1-f50.google.com with SMTP id
 98e67ed59e1d1-2c3274d5cc7so4949848a91.0
 for <44887@debbugs.gnu.org>; Tue, 18 Jun 2024 12:29:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1718738927; x=1719343727; darn=debbugs.gnu.org;
 h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
 :date:message-id:reply-to;
 bh=jj/GudQm4y/OfKEv4i9VZWOVh0HvjBeP/K/31N1iUc0=;
 b=G7sF+QvKRw/bvaSgUVpmZKyxnk2dS8bdgvdO6j1ZZNp4rHTcy9kqSP+GtZlRf+R0Ky
 RrfzDY59iYvqCNpC2N+17PPGQnhhCudXiCVO0CXktuUZo8moJHIboCRgLopt44IcLkUk
 BSpjMjGG60aWyRFgTWQPBtnEXockVduvTk4fV2PedY9UoiZ8uEIkDP5h48ZK7jiXDHDG
 MOmJfBryQ89xuGzEeP7mRNEe21mNo0F0qliH9Psfa46mEaTGG+I/2RRy/wjngjhDGsgV
 Hlqsn3Cln0oi0bNdMHiFZT0g/q7ZAxSmbMgtV1TAGllITpSjt3D8s9cR/pUN2gB3Wyd2
 eNVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1718738927; x=1719343727;
 h=to:subject:message-id:date:from:mime-version:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=jj/GudQm4y/OfKEv4i9VZWOVh0HvjBeP/K/31N1iUc0=;
 b=NWS9kiFwz1X54KlfBAxELne0iVrS0+P4VHZc5gdZH6ddQrOz80q5WMl2SzAIjpEKgH
 sP18dcfxXojyuVZfjS0RK1Q1gOLB3KZkXx+PaN+IkxxlpfaE8XCtli7RFQ9SJrRmmJnd
 HlStHkqW4/8TTUIJytifUrXtV+rN7/NPTQRP8b4KzBAam4t9jVvdPOzU2fkzht3sw7Z2
 fg66bMZjPBoZfMNLWbhxErCzBQ0ePamlHyR2LxpKDSjrbW8My0DhI3p1ge2hlB3/8rb2
 aW2B+vmdDb+Bc2CgzqxFOSnRKfqTopQEA62+86k+ROCVBGlMeyN0qpc04wG/DXXX9UkZ
 x3aw==
X-Forwarded-Encrypted: i=1;
 AJvYcCWz3PNfYDhY2VbBNmJTfwq+YrQhzWW98/zJSmcSKP2ZbqY4AskrLQhzDk+ebEHQJOvDBDYCDsDRboiFsI2ySgDhZV9GtKU=
X-Gm-Message-State: AOJu0YyxIte9m8pI7dW0QVknP7Iz5muVu+4OTj79aZQtMqUB4U5CH46O
 e7LEoeDN0zsm1szFQOwHcMX9ZXkwQy15H9kH0b5xf6MVjGWsTD42Sm7avsV60APbYCYgj9Obn0W
 uU+Rz+XoErWCzMRV2Cl7rkHL6TpU=
X-Google-Smtp-Source: AGHT+IFhLH1jst6hgr2s7f4Wd3SdINEkgMdZ1UNXVPaZ14nScb1o5XpKDaAVolm8j0/5gqyxv+ZTGRkmPAhuzbTPp1k=
X-Received: by 2002:a17:90a:8c4:b0:2c2:c96c:5390 with SMTP id
 98e67ed59e1d1-2c7b57f3fa8mr725113a91.1.1718738926766; Tue, 18 Jun 2024
 12:28:46 -0700 (PDT)
MIME-Version: 1.0
From: Vincent Legoll <vincent.legoll@gmail.com>
Date: Tue, 18 Jun 2024 19:28:35 +0000
Message-ID: <CAEwRq=rU2wD7ZzcjnTJ0+1DAP6TVE+aytqCKxCbLg0KRjnqn9Q@mail.gmail.com>
Subject: openssh service creates DSA keys
To: Efraim Flashner <efraim@flashner.co.il>,
 Ludovic Courtès <ludo@gnu.org>, 44887@debbugs.gnu.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44887
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hello,

I've done some digging on that issue. Hope it'll help.

It looks like the clients still support the DSA keys.

This is on a Void linux desktop:

[vince@destop ~]$ ssh -Q PubkeyAcceptedAlgorithms | grep -i dss
ssh-dss
ssh-dss-cert-v01@openssh.com

The following Guix VM has been created 2 days ago, with a very light config

vince@guix ~$ ssh -Q PubkeyAcceptedAlgorithms | grep -i ssh-dss
ssh-dss
ssh-dss-cert-v01@openssh.com

So, I created a DSA PKI key pair, like so:

ssh-keygen -N '' -t dsa -f ssh-key-dsa

Uploaded the public key to the guix VM, as ~vince/.ssh/authorized_keys
then tried to connect to the OpenSSH server on that VM

[vince@desktop ~]$ ssh -vi ssh-key-dsa vince@10.0.0.101
OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
debug1: Reading configuration data /home/vince/.ssh/config
debug1: /home/vince/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.0.0.101 [10.0.0.101] port 22.
debug1: Connection established.
debug1: identity file ssh-key-dsa type 1
[...]
debug1: Skipping ssh-dss key ssh-key-dsa - corresponding algorithm not
in PubkeyAcceptedAlgorithms
debug1: No more authentication methods to try.
vince@10.0.0.101: Permission denied (publickey).

So it looks like DSA client keys are not accepted any more by default.

Is there a problem for the server host key ?

vince@guix ~$ ls /etc/ssh/
authorized_keys.d/      ssh_host_ed25519_key      ssh_host_rsa_key.pub
ssh_host_ecdsa_key      ssh_host_ed25519_key.pub
ssh_host_ecdsa_key.pub  ssh_host_rsa_key

No DSA keys here. Maybe something has been changed and they are not
created any more.

So I'm not sure there is a problem, or am I mistaken ?
Didn't I look hard enough ?

WDYT ?

Announce of DSA support removal from OpenSSH:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-January/041132.html

Some context about DSA keys:
https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys

-- 
Vincent Legoll

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:51:04 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#44887 openssh service creates DSA keys