[PATCH] openssh: drop sshd support for DSA host keys

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [PATCH] openssh: drop sshd support for DSA host keys
@ 2018-05-25 22:07 Andre McCurdy
  2018-06-04 19:18 ` Andre McCurdy
  0 siblings, 1 reply; 4+ messages in thread
From: Andre McCurdy @ 2018-05-25 22:07 UTC (permalink / raw)
  To: openembedded-core

DSA keys have been deprecated for some time:

  https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
---
 meta/recipes-connectivity/openssh/openssh/sshd_check_keys | 8 --------
 meta/recipes-connectivity/openssh/openssh/sshd_config     | 1 -
 meta/recipes-connectivity/openssh/openssh_7.6p1.bb        | 1 -
 3 files changed, 10 deletions(-)

diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index 5463b1a..be2e2ec 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -60,9 +60,6 @@ done
 HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
 [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
 [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
-HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
 HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
 [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
 [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
@@ -79,12 +76,7 @@ if [ ! -f $HOST_KEY_ECDSA ]; then
     echo "  generating ssh ECDSA key..."
     generate_key $HOST_KEY_ECDSA ecdsa
 fi
-if [ ! -f $HOST_KEY_DSA ]; then
-    echo "  generating ssh DSA key..."
-    generate_key $HOST_KEY_DSA dsa
-fi
 if [ ! -f $HOST_KEY_ED25519 ]; then
     echo "  generating ssh ED25519 key..."
     generate_key $HOST_KEY_ED25519 ed25519
 fi
-
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
index 31fe5d9..b7c3ccd 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_config
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
@@ -22,7 +22,6 @@ Protocol 2
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
 #HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
 
diff --git a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
index e11e8d7..a527a7c 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
@@ -110,7 +110,6 @@ do_install_append () {
 	install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
 	sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
 	echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-	echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
 	echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
 	echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
 
-- 
1.9.1



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] openssh: drop sshd support for DSA host keys
  2018-05-25 22:07 [PATCH] openssh: drop sshd support for DSA host keys Andre McCurdy
@ 2018-06-04 19:18 ` Andre McCurdy
  2018-06-04 22:25   ` Mark Hatle
  0 siblings, 1 reply; 4+ messages in thread
From: Andre McCurdy @ 2018-06-04 19:18 UTC (permalink / raw)
  To: OE Core mailing list

On Fri, May 25, 2018 at 3:07 PM, Andre McCurdy <armccurdy@gmail.com> wrote:
> DSA keys have been deprecated for some time:
>
>   https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html

Ping.

Any issues with this?

> Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
> ---
>  meta/recipes-connectivity/openssh/openssh/sshd_check_keys | 8 --------
>  meta/recipes-connectivity/openssh/openssh/sshd_config     | 1 -
>  meta/recipes-connectivity/openssh/openssh_7.6p1.bb        | 1 -
>  3 files changed, 10 deletions(-)
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
> index 5463b1a..be2e2ec 100644
> --- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
> @@ -60,9 +60,6 @@ done
>  HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
>  [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
>  [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
> -HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
> -[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
> -[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
>  HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
>  [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
>  [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
> @@ -79,12 +76,7 @@ if [ ! -f $HOST_KEY_ECDSA ]; then
>      echo "  generating ssh ECDSA key..."
>      generate_key $HOST_KEY_ECDSA ecdsa
>  fi
> -if [ ! -f $HOST_KEY_DSA ]; then
> -    echo "  generating ssh DSA key..."
> -    generate_key $HOST_KEY_DSA dsa
> -fi
>  if [ ! -f $HOST_KEY_ED25519 ]; then
>      echo "  generating ssh ED25519 key..."
>      generate_key $HOST_KEY_ED25519 ed25519
>  fi
> -
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
> index 31fe5d9..b7c3ccd 100644
> --- a/meta/recipes-connectivity/openssh/openssh/sshd_config
> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
> @@ -22,7 +22,6 @@ Protocol 2
>  #HostKey /etc/ssh/ssh_host_key
>  # HostKeys for protocol version 2
>  #HostKey /etc/ssh/ssh_host_rsa_key
> -#HostKey /etc/ssh/ssh_host_dsa_key
>  #HostKey /etc/ssh/ssh_host_ecdsa_key
>  #HostKey /etc/ssh/ssh_host_ed25519_key
>
> diff --git a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
> index e11e8d7..a527a7c 100644
> --- a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
> @@ -110,7 +110,6 @@ do_install_append () {
>         install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
>         sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
>         echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
> -       echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>         echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>         echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>
> --
> 1.9.1
>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] openssh: drop sshd support for DSA host keys
  2018-06-04 19:18 ` Andre McCurdy
@ 2018-06-04 22:25   ` Mark Hatle
  2018-06-04 23:22     ` Andre McCurdy
  0 siblings, 1 reply; 4+ messages in thread
From: Mark Hatle @ 2018-06-04 22:25 UTC (permalink / raw)
  To: Andre McCurdy, OE Core mailing list

On 6/4/18 2:18 PM, Andre McCurdy wrote:
> On Fri, May 25, 2018 at 3:07 PM, Andre McCurdy <armccurdy@gmail.com> wrote:
>> DSA keys have been deprecated for some time:
>>
>>   https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
> 
> Ping.
> 
> Any issues with this?

At Wind River we have a series of patches to disable weak-ciphers.  We had
globally disabled them a while back and found that a number of applications and
customers still were using them for various things.

Even though they were 'weak', they were still needed.

See:

https://github.com/WindRiver-OpenSourceLabs/wrlinux/tree/master-wr/wrlinux-distro/recipes-weak-ciphers

If this work is something that should be submitted to oe-core/meta-openembedded
and would be a candidate for merging, I'm all for it.

My suggestion though would be to reverse the checks we have.. instead of a
distro feature of 'openssl-no-weak-ciphers', make it 'allow-weak-ciphers', and
disable them by default.

A few things like Kerberos, freeradius and others require weak ciphers for some
functions.  So the corresponding patches for those would need to be developed.

If this is something we want to do, then the OpenSSH change below could be
switched into a PACKAGECONFIG option, and still allow people to define an
insecure system -- if they need to...

--Mark

>> Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
>> ---
>>  meta/recipes-connectivity/openssh/openssh/sshd_check_keys | 8 --------
>>  meta/recipes-connectivity/openssh/openssh/sshd_config     | 1 -
>>  meta/recipes-connectivity/openssh/openssh_7.6p1.bb        | 1 -
>>  3 files changed, 10 deletions(-)
>>
>> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>> index 5463b1a..be2e2ec 100644
>> --- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>> @@ -60,9 +60,6 @@ done
>>  HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
>>  [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
>>  [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
>> -HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
>> -[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
>> -[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
>>  HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
>>  [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
>>  [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
>> @@ -79,12 +76,7 @@ if [ ! -f $HOST_KEY_ECDSA ]; then
>>      echo "  generating ssh ECDSA key..."
>>      generate_key $HOST_KEY_ECDSA ecdsa
>>  fi
>> -if [ ! -f $HOST_KEY_DSA ]; then
>> -    echo "  generating ssh DSA key..."
>> -    generate_key $HOST_KEY_DSA dsa
>> -fi
>>  if [ ! -f $HOST_KEY_ED25519 ]; then
>>      echo "  generating ssh ED25519 key..."
>>      generate_key $HOST_KEY_ED25519 ed25519
>>  fi
>> -
>> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
>> index 31fe5d9..b7c3ccd 100644
>> --- a/meta/recipes-connectivity/openssh/openssh/sshd_config
>> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
>> @@ -22,7 +22,6 @@ Protocol 2
>>  #HostKey /etc/ssh/ssh_host_key
>>  # HostKeys for protocol version 2
>>  #HostKey /etc/ssh/ssh_host_rsa_key
>> -#HostKey /etc/ssh/ssh_host_dsa_key
>>  #HostKey /etc/ssh/ssh_host_ecdsa_key
>>  #HostKey /etc/ssh/ssh_host_ed25519_key
>>
>> diff --git a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>> index e11e8d7..a527a7c 100644
>> --- a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>> +++ b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>> @@ -110,7 +110,6 @@ do_install_append () {
>>         install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
>>         sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
>>         echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>> -       echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>>         echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>>         echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>>
>> --
>> 1.9.1
>>



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] openssh: drop sshd support for DSA host keys
  2018-06-04 22:25   ` Mark Hatle
@ 2018-06-04 23:22     ` Andre McCurdy
  0 siblings, 0 replies; 4+ messages in thread
From: Andre McCurdy @ 2018-06-04 23:22 UTC (permalink / raw)
  To: Mark Hatle; +Cc: OE Core mailing list

On Mon, Jun 4, 2018 at 3:25 PM, Mark Hatle <mark.hatle@windriver.com> wrote:
> On 6/4/18 2:18 PM, Andre McCurdy wrote:
>> On Fri, May 25, 2018 at 3:07 PM, Andre McCurdy <armccurdy@gmail.com> wrote:
>>> DSA keys have been deprecated for some time:
>>>
>>>   https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
>>
>> Ping.
>>
>> Any issues with this?
>
> At Wind River we have a series of patches to disable weak-ciphers.  We had
> globally disabled them a while back and found that a number of applications and
> customers still were using them for various things.
>
> Even though they were 'weak', they were still needed.
>
> See:
>
> https://github.com/WindRiver-OpenSourceLabs/wrlinux/tree/master-wr/wrlinux-distro/recipes-weak-ciphers

Disabling weak ciphers in openssl and then fixing the fallout in
*everything* that links with openssl is quite a different and more
ambitious undertaking.

For ssh host key formats, the only requirement is that host and client
agree on at least one common format. RSA is the most common and well
established so as long as we don't disable that, disabling support for
less common or less secure formats is unlikely to cause any issues.

Currently for the dropbear ssh server we ONLY enable RSA host keys and
that seems to be working out fine.

Having our openssh server drop support for DSA host keys seems like
the right thing to do given potential security concerns and the fact
that modern ssh clients (e.g. openssh after 7.0p1 from 2015) don't
support them any more.

> If this work is something that should be submitted to oe-core/meta-openembedded
> and would be a candidate for merging, I'm all for it.
>
> My suggestion though would be to reverse the checks we have.. instead of a
> distro feature of 'openssl-no-weak-ciphers', make it 'allow-weak-ciphers', and
> disable them by default.
>
> A few things like Kerberos, freeradius and others require weak ciphers for some
> functions.  So the corresponding patches for those would need to be developed.
>
> If this is something we want to do, then the OpenSSH change below could be
> switched into a PACKAGECONFIG option, and still allow people to define an
> insecure system -- if they need to...
>
> --Mark
>
>>> Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
>>> ---
>>>  meta/recipes-connectivity/openssh/openssh/sshd_check_keys | 8 --------
>>>  meta/recipes-connectivity/openssh/openssh/sshd_config     | 1 -
>>>  meta/recipes-connectivity/openssh/openssh_7.6p1.bb        | 1 -
>>>  3 files changed, 10 deletions(-)
>>>
>>> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>>> index 5463b1a..be2e2ec 100644
>>> --- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>>> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>>> @@ -60,9 +60,6 @@ done
>>>  HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
>>>  [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
>>>  [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
>>> -HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
>>> -[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
>>> -[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
>>>  HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
>>>  [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
>>>  [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
>>> @@ -79,12 +76,7 @@ if [ ! -f $HOST_KEY_ECDSA ]; then
>>>      echo "  generating ssh ECDSA key..."
>>>      generate_key $HOST_KEY_ECDSA ecdsa
>>>  fi
>>> -if [ ! -f $HOST_KEY_DSA ]; then
>>> -    echo "  generating ssh DSA key..."
>>> -    generate_key $HOST_KEY_DSA dsa
>>> -fi
>>>  if [ ! -f $HOST_KEY_ED25519 ]; then
>>>      echo "  generating ssh ED25519 key..."
>>>      generate_key $HOST_KEY_ED25519 ed25519
>>>  fi
>>> -
>>> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
>>> index 31fe5d9..b7c3ccd 100644
>>> --- a/meta/recipes-connectivity/openssh/openssh/sshd_config
>>> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
>>> @@ -22,7 +22,6 @@ Protocol 2
>>>  #HostKey /etc/ssh/ssh_host_key
>>>  # HostKeys for protocol version 2
>>>  #HostKey /etc/ssh/ssh_host_rsa_key
>>> -#HostKey /etc/ssh/ssh_host_dsa_key
>>>  #HostKey /etc/ssh/ssh_host_ecdsa_key
>>>  #HostKey /etc/ssh/ssh_host_ed25519_key
>>>
>>> diff --git a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>>> index e11e8d7..a527a7c 100644
>>> --- a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>>> +++ b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>>> @@ -110,7 +110,6 @@ do_install_append () {
>>>         install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
>>>         sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
>>>         echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>>> -       echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>>>         echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>>>         echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>>>
>>> --
>>> 1.9.1
>>>
>


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-06-04 23:22 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-05-25 22:07 [PATCH] openssh: drop sshd support for DSA host keys Andre McCurdy
2018-06-04 19:18 ` Andre McCurdy
2018-06-04 22:25   ` Mark Hatle
2018-06-04 23:22     ` Andre McCurdy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox