[OE-core] [PATCH] openssh: drop sshd support for DSA host keys
Mark Hatle
mark.hatle at windriver.com
Mon Jun 4 22:25:21 UTC 2018
On 6/4/18 2:18 PM, Andre McCurdy wrote:
> On Fri, May 25, 2018 at 3:07 PM, Andre McCurdy <armccurdy at gmail.com> wrote:
>> DSA keys have been deprecated for some time:
>>
>> https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
>
> Ping.
>
> Any issues with this?
At Wind River we have a series of patches to disable weak-ciphers. We had
globally disabled them a while back and found that a number of applications and
customers still were using them for various things.
Even though they were 'weak', they were still needed.
See:
https://github.com/WindRiver-OpenSourceLabs/wrlinux/tree/master-wr/wrlinux-distro/recipes-weak-ciphers
If this work is something that should be submitted to oe-core/meta-openembedded
and would be a candidate for merging, I'm all for it.
My suggestion though would be to reverse the checks we have.. instead of a
distro feature of 'openssl-no-weak-ciphers', make it 'allow-weak-ciphers', and
disable them by default.
A few things like Kerberos, freeradius and others require weak ciphers for some
functions. So the corresponding patches for those would need to be developed.
If this is something we want to do, then the OpenSSH change below could be
switched into a PACKAGECONFIG option, and still allow people to define an
insecure system -- if they need to...
--Mark
>> Signed-off-by: Andre McCurdy <armccurdy at gmail.com>
>> ---
>> meta/recipes-connectivity/openssh/openssh/sshd_check_keys | 8 --------
>> meta/recipes-connectivity/openssh/openssh/sshd_config | 1 -
>> meta/recipes-connectivity/openssh/openssh_7.6p1.bb | 1 -
>> 3 files changed, 10 deletions(-)
>>
>> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>> index 5463b1a..be2e2ec 100644
>> --- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>> @@ -60,9 +60,6 @@ done
>> HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
>> [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
>> [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
>> -HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
>> -[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
>> -[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
>> HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
>> [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
>> [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
>> @@ -79,12 +76,7 @@ if [ ! -f $HOST_KEY_ECDSA ]; then
>> echo " generating ssh ECDSA key..."
>> generate_key $HOST_KEY_ECDSA ecdsa
>> fi
>> -if [ ! -f $HOST_KEY_DSA ]; then
>> - echo " generating ssh DSA key..."
>> - generate_key $HOST_KEY_DSA dsa
>> -fi
>> if [ ! -f $HOST_KEY_ED25519 ]; then
>> echo " generating ssh ED25519 key..."
>> generate_key $HOST_KEY_ED25519 ed25519
>> fi
>> -
>> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
>> index 31fe5d9..b7c3ccd 100644
>> --- a/meta/recipes-connectivity/openssh/openssh/sshd_config
>> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
>> @@ -22,7 +22,6 @@ Protocol 2
>> #HostKey /etc/ssh/ssh_host_key
>> # HostKeys for protocol version 2
>> #HostKey /etc/ssh/ssh_host_rsa_key
>> -#HostKey /etc/ssh/ssh_host_dsa_key
>> #HostKey /etc/ssh/ssh_host_ecdsa_key
>> #HostKey /etc/ssh/ssh_host_ed25519_key
>>
>> diff --git a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>> index e11e8d7..a527a7c 100644
>> --- a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>> +++ b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>> @@ -110,7 +110,6 @@ do_install_append () {
>> install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
>> sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
>> echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>> - echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>> echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>> echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>>
>> --
>> 1.9.1
>>
More information about the Openembedded-core
mailing list