[OE-core] [PATCH] openssh: drop sshd support for DSA host keys
Andre McCurdy
armccurdy at gmail.com
Mon Jun 4 23:22:40 UTC 2018
On Mon, Jun 4, 2018 at 3:25 PM, Mark Hatle <mark.hatle at windriver.com> wrote:
> On 6/4/18 2:18 PM, Andre McCurdy wrote:
>> On Fri, May 25, 2018 at 3:07 PM, Andre McCurdy <armccurdy at gmail.com> wrote:
>>> DSA keys have been deprecated for some time:
>>>
>>> https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
>>
>> Ping.
>>
>> Any issues with this?
>
> At Wind River we have a series of patches to disable weak-ciphers. We had
> globally disabled them a while back and found that a number of applications and
> customers still were using them for various things.
>
> Even though they were 'weak', they were still needed.
>
> See:
>
> https://github.com/WindRiver-OpenSourceLabs/wrlinux/tree/master-wr/wrlinux-distro/recipes-weak-ciphers
Disabling weak ciphers in openssl and then fixing the fallout in
*everything* that links with openssl is quite a different and more
ambitious undertaking.
For ssh host key formats, the only requirement is that host and client
agree on at least one common format. RSA is the most common and well
established so as long as we don't disable that, disabling support for
less common or less secure formats is unlikely to cause any issues.
Currently for the dropbear ssh server we ONLY enable RSA host keys and
that seems to be working out fine.
Having our openssh server drop support for DSA host keys seems like
the right thing to do given potential security concerns and the fact
that modern ssh clients (e.g. openssh after 7.0p1 from 2015) don't
support them any more.
> If this work is something that should be submitted to oe-core/meta-openembedded
> and would be a candidate for merging, I'm all for it.
>
> My suggestion though would be to reverse the checks we have.. instead of a
> distro feature of 'openssl-no-weak-ciphers', make it 'allow-weak-ciphers', and
> disable them by default.
>
> A few things like Kerberos, freeradius and others require weak ciphers for some
> functions. So the corresponding patches for those would need to be developed.
>
> If this is something we want to do, then the OpenSSH change below could be
> switched into a PACKAGECONFIG option, and still allow people to define an
> insecure system -- if they need to...
>
> --Mark
>
>>> Signed-off-by: Andre McCurdy <armccurdy at gmail.com>
>>> ---
>>> meta/recipes-connectivity/openssh/openssh/sshd_check_keys | 8 --------
>>> meta/recipes-connectivity/openssh/openssh/sshd_config | 1 -
>>> meta/recipes-connectivity/openssh/openssh_7.6p1.bb | 1 -
>>> 3 files changed, 10 deletions(-)
>>>
>>> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>>> index 5463b1a..be2e2ec 100644
>>> --- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>>> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
>>> @@ -60,9 +60,6 @@ done
>>> HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
>>> [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
>>> [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
>>> -HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
>>> -[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
>>> -[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
>>> HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
>>> [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
>>> [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
>>> @@ -79,12 +76,7 @@ if [ ! -f $HOST_KEY_ECDSA ]; then
>>> echo " generating ssh ECDSA key..."
>>> generate_key $HOST_KEY_ECDSA ecdsa
>>> fi
>>> -if [ ! -f $HOST_KEY_DSA ]; then
>>> - echo " generating ssh DSA key..."
>>> - generate_key $HOST_KEY_DSA dsa
>>> -fi
>>> if [ ! -f $HOST_KEY_ED25519 ]; then
>>> echo " generating ssh ED25519 key..."
>>> generate_key $HOST_KEY_ED25519 ed25519
>>> fi
>>> -
>>> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
>>> index 31fe5d9..b7c3ccd 100644
>>> --- a/meta/recipes-connectivity/openssh/openssh/sshd_config
>>> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
>>> @@ -22,7 +22,6 @@ Protocol 2
>>> #HostKey /etc/ssh/ssh_host_key
>>> # HostKeys for protocol version 2
>>> #HostKey /etc/ssh/ssh_host_rsa_key
>>> -#HostKey /etc/ssh/ssh_host_dsa_key
>>> #HostKey /etc/ssh/ssh_host_ecdsa_key
>>> #HostKey /etc/ssh/ssh_host_ed25519_key
>>>
>>> diff --git a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>>> index e11e8d7..a527a7c 100644
>>> --- a/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>>> +++ b/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
>>> @@ -110,7 +110,6 @@ do_install_append () {
>>> install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
>>> sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
>>> echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>>> - echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>>> echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>>> echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>>>
>>> --
>>> 1.9.1
>>>
>
More information about the Openembedded-core
mailing list