Debian Bug report logs - #481133
openssh-server: Would like to disable DSA entirely

version graph

Package: openssh-server; Maintainer for openssh-server is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for openssh-server is src:openssh.

Reported by: Sam Morris <sam@robots.org.uk>

Date: Tue, 13 May 2008 23:12:04 UTC

Severity: wishlist

Tags: patch, upstream

Merged with 528046

Found in versions openssh/1:4.3p2-9, openssh/1:5.1p1-5

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#481133; Package openssh-server. Full text and rfc822 format available.

Acknowledgement sent to Sam Morris <sam@robots.org.uk>:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sam Morris <sam@robots.org.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssh-server: Would like to disable DSA entirely
Date: Wed, 14 May 2008 00:10:08 +0100
Package: openssh-server
Version: 1:4.3p2-9
Severity: wishlist

I'd like to be able to disable the use of DSA for both host and client
authentication.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (530, 'testing'), (520, 'unstable'), (510, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-1-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser               3.107              add and remove users and groups
ii  debconf [debconf-2.0] 1.5.21             Debian configuration management sy
ii  dpkg                  1.14.18            package maintenance system for Deb
ii  libc6                 2.7-10             GNU C Library: Shared libraries
ii  libcomerr2            1.40.8-2           common error description library
ii  libkrb53              1.6.dfsg.3~beta1-4 MIT Kerberos runtime libraries
ii  libpam-modules        0.99.7.1-6         Pluggable Authentication Modules f
ii  libpam-runtime        0.99.7.1-6         Runtime support for the PAM librar
ii  libpam0g              0.99.7.1-6         Pluggable Authentication Modules l
ii  libselinux1           2.0.59-1           SELinux shared libraries
ii  libssl0.9.8           0.9.8g-10          SSL shared libraries
ii  libwrap0              7.6.q-15           Wietse Venema's TCP wrappers libra
ii  lsb-base              3.2-11             Linux Standard Base 3.2 init scrip
ii  openssh-client        1:4.7p1-8          secure shell client, an rlogin/rsh
ii  zlib1g                1:1.2.3.3.dfsg-12  compression library - runtime

Versions of packages openssh-server recommends:
ii  xauth                         1:1.0.3-1  X authentication utility

-- debconf information excluded




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#481133; Package openssh-server. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 481133@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Sam Morris <sam@robots.org.uk>, 481133@bugs.debian.org
Subject: Re: Bug#481133: openssh-server: Would like to disable DSA entirely
Date: Wed, 14 May 2008 02:24:40 +0100
On Wed, May 14, 2008 at 12:10:08AM +0100, Sam Morris wrote:
> Package: openssh-server
> Version: 1:4.3p2-9
> Severity: wishlist
> 
> I'd like to be able to disable the use of DSA for both host and client
> authentication.

For host keys, you can just remove that host key from sshd_config. It's
true that there's (as far as I know) no way to do this for user keys yet
though.

-- 
Colin Watson                                       [cjwatson@debian.org]




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#481133; Package openssh-server. Full text and rfc822 format available.

Acknowledgement sent to "Matthew W. S. Bell" <matthew@bells23.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. Full text and rfc822 format available.

Message #15 received at 481133@bugs.debian.org (full text, mbox):

From: "Matthew W. S. Bell" <matthew@bells23.org.uk>
To: 481133@bugs.debian.org
Subject: Disable DSA host key by default
Date: Thu, 15 May 2008 04:44:41 +0100
Further to fully disabling DSA keys, would it be wise to disable the use
and generation of DSA host keys by default?

Matthew W. S. Bell





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#481133; Package openssh-server. Full text and rfc822 format available.

Acknowledgement sent to Francesco Poli <frx@firenze.linux.it>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. Full text and rfc822 format available.

Message #20 received at 481133@bugs.debian.org (full text, mbox):

From: Francesco Poli <frx@firenze.linux.it>
To: 481133@bugs.debian.org
Cc: Sam Morris <sam@robots.org.uk>
Subject: Re: Bug#481133: openssh-server: Would like to disable DSA entirely
Date: Sun, 18 May 2008 19:14:41 +0200
[Message part 1 (text/plain, inline)]
On Wed, 14 May 2008 02:24:40 +0100 Colin Watson wrote:

> On Wed, May 14, 2008 at 12:10:08AM +0100, Sam Morris wrote:
> > Package: openssh-server
> > Version: 1:4.3p2-9
> > Severity: wishlist
> > 
> > I'd like to be able to disable the use of DSA for both host and client
> > authentication.

I agree with this wishlist bug.
There should be a way to disable DSA-public-key-based authentication
entirely (since DSA keys can be compromised by just being *used* on a
system with a broken PRNG in SSL, as explained in the recent
DSA-1571-1).

> 
> For host keys, you can just remove that host key from sshd_config.

I've just done so; I commented out the following line
in /etc/ssh/sshd_config on my boxes:

  #HostKey /etc/ssh/ssh_host_dsa_key

But, even after restarting ssh, users may still log in with their DSA
keys (as long as those keys are listed in their ~/.ssh/authorized_keys,
obviously).

I checked this by myself.
On a client box C, I have ~/.ssh/id_dsa.pub and ~/.ssh/id_dsa
On a server box S, I have the above id_dsa.pub inside
~/.ssh/authorized_keys
On S, /etc/ssh/sshd_config only has

  HostKey /etc/ssh/ssh_host_rsa_key

and no reference to the DSA host key.

Nonetheless, if I try to log in from C to S with my non-root user, I
can successfully authenticate and enter.  S uses its RSA host key, but
my user on C uses my DSA key and logs in happily...

> It's
> true that there's (as far as I know) no way to do this for user keys yet
> though.

I think there should be a way to configure the OpenSSH server so that it
refuses DSA-public-key-based authentication, just like there's a way to
disable password-based authentication.

Configuring the client is no solution, since non-root users are always
allowed to override system-wide OpenSSH client configuration (and there
are good reasons for allowing this) and since you cannot be sure about
client box configuration whenever you do not administer it.


-- 
 http://frx.netsons.org/doc/index.html#nanodocs
 The nano-document series is here!
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#481133; Package openssh-server. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. Full text and rfc822 format available.

Message #25 received at 481133@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Francesco Poli <frx@firenze.linux.it>, 481133@bugs.debian.org
Cc: Sam Morris <sam@robots.org.uk>
Subject: Re: Bug#481133: openssh-server: Would like to disable DSA entirely
Date: Sun, 18 May 2008 22:14:58 +0100
On Sun, May 18, 2008 at 07:14:41PM +0200, Francesco Poli wrote:
> On Wed, 14 May 2008 02:24:40 +0100 Colin Watson wrote:
> > On Wed, May 14, 2008 at 12:10:08AM +0100, Sam Morris wrote:
> > > Package: openssh-server
> > > Version: 1:4.3p2-9
> > > Severity: wishlist
> > > 
> > > I'd like to be able to disable the use of DSA for both host and client
> > > authentication.
> 
> I agree with this wishlist bug.

I meant my previous mail to be an acknowledgement that this should be
done. I'm sorry that this wasn't very clear. No need for further
exhortations ...

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#481133; Package openssh-server. Full text and rfc822 format available.

Acknowledgement sent to Francesco Poli <frx@firenze.linux.it>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. Full text and rfc822 format available.

Message #30 received at 481133@bugs.debian.org (full text, mbox):

From: Francesco Poli <frx@firenze.linux.it>
To: 481133@bugs.debian.org
Cc: Sam Morris <sam@robots.org.uk>
Subject: Re: Bug#481133: openssh-server: Would like to disable DSA entirely
Date: Sun, 18 May 2008 23:50:43 +0200
[Message part 1 (text/plain, inline)]
On Sun, 18 May 2008 22:14:58 +0100 Colin Watson wrote:

> On Sun, May 18, 2008 at 07:14:41PM +0200, Francesco Poli wrote:
[...]
> > I agree with this wishlist bug.
> 
> I meant my previous mail to be an acknowledgement that this should be
> done. I'm sorry that this wasn't very clear.

It was less than crystal clear, but not really obscure anyway...  ;-)

> No need for further exhortations ...

My comment was more intended to clarify my humble opinion on the
subject, than to exhort anyone.
Obviously, it would still be great if this feature were implemented
soon!  :-)


P.S.: Thanks a lot to Debian OpenSSH Maintainers for maintaining such a
crucial package!

-- 
 http://frx.netsons.org/doc/index.html#nanodocs
 The nano-document series is here!
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
[Message part 2 (application/pgp-signature, inline)]

Merged 481133 528046. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Mon, 04 Jan 2010 12:03:37 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 09:03:59 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.