From: Mark Hatle <mark.hatle@windriver.com>
To: Andre McCurdy <armccurdy@gmail.com>,
OE Core mailing list <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH] openssh: drop sshd support for DSA host keys
Date: Mon, 4 Jun 2018 17:25:21 -0500 [thread overview]
Message-ID: <42d1ff74-c9d2-de23-a92d-dfa0eee736af@windriver.com> (raw)
In-Reply-To: <CAJ86T=VFe=vuPfudEY_hUV3MMz34vOak7stiTHR33nTmya68Cg@mail.gmail.com>
On 6/4/18 2:18 PM, Andre McCurdy wrote:
> On Fri, May 25, 2018 at 3:07 PM, Andre McCurdy <armccurdy@gmail.com> wrote:
>> DSA keys have been deprecated for some time:
>>
>> https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
>
> Ping.
>
> Any issues with this?
At Wind River we have a series of patches to disable weak-ciphers. We had
globally disabled them a while back and found that a number of applications and
customers still were using them for various things.
Even though they were 'weak', they were still needed.
See:
https://github.com/WindRiver-OpenSourceLabs/wrlinux/tree/master-wr/wrlinux-distro/recipes-weak-ciphers
If this work is something that should be submitted to oe-core/meta-openembedded
and would be a candidate for merging, I'm all for it.
My suggestion though would be to reverse the checks we have.. instead of a
distro feature of 'openssl-no-weak-ciphers', make it 'allow-weak-ciphers', and
disable them by default.
A few things like Kerberos, freeradius and others require weak ciphers for some
functions. So the corresponding patches for those would need to be developed.
If this is something we want to do, then the OpenSSH change below could be
switched into a PACKAGECONFIG option, and still allow people to define an
insecure system -- if they need to...
--Mark
>> Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
>> ---
>> meta/recipes-connectivity/openssh/openssh/sshd_check_keys | 8 --------
>> meta/recipes-connectivity/openssh/openssh/sshd_config | 1 -
>> meta/recipes-connectivity/openssh/openssh_7.6p1.bb | 1 -
>> 3 files changed, 10 deletions(-)
>>
>> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>> index 5463b1a..be2e2ec 100644
>> --- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>> @@ -60,9 +60,6 @@ done
>> HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
>> [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
>> [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
>> -HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
>> -[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
>> -[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
>> HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
>> [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
>> [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
>> @@ -79,12 +76,7 @@ if [ ! -f $HOST_KEY_ECDSA ]; then
>> echo " generating ssh ECDSA key..."
>> generate_key $HOST_KEY_ECDSA ecdsa
>> fi
>> -if [ ! -f $HOST_KEY_DSA ]; then
>> - echo " generating ssh DSA key..."
>> - generate_key $HOST_KEY_DSA dsa
>> -fi
>> if [ ! -f $HOST_KEY_ED25519 ]; then
>> echo " generating ssh ED25519 key..."
>> generate_key $HOST_KEY_ED25519 ed25519
>> fi
>> -
>> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
>> index 31fe5d9..b7c3ccd 100644
>> --- a/meta/recipes-connectivity/openssh/openssh/sshd_config
>> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
>> @@ -22,7 +22,6 @@ Protocol 2
>> #HostKey /etc/ssh/ssh_host_key
>> # HostKeys for protocol version 2
>> #HostKey /etc/ssh/ssh_host_rsa_key
>> -#HostKey /etc/ssh/ssh_host_dsa_key
>> #HostKey /etc/ssh/ssh_host_ecdsa_key
>> #HostKey /etc/ssh/ssh_host_ed25519_key
>>
>> diff --git a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>> index e11e8d7..a527a7c 100644
>> --- a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>> +++ b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>> @@ -110,7 +110,6 @@ do_install_append () {
>> install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
>> sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
>> echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>> - echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>> echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>> echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>>
>> --
>> 1.9.1
>>
next prev parent reply other threads:[~2018-06-04 22:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-25 22:07 [PATCH] openssh: drop sshd support for DSA host keys Andre McCurdy
2018-06-04 19:18 ` Andre McCurdy
2018-06-04 22:25 ` Mark Hatle [this message]
2018-06-04 23:22 ` Andre McCurdy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42d1ff74-c9d2-de23-a92d-dfa0eee736af@windriver.com \
--to=mark.hatle@windriver.com \
--cc=armccurdy@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox