thr3ads.net - openssh bugs - [Bug 2662] New: Does it still make sense to use DSA host keys by default? [Jan 2017]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.mindrot.org

2017-Jan-08 18:45 UTC

[Bug 2662] New: Does it still make sense to use DSA host keys by default?

https://bugzilla.mindrot.org/show_bug.cgi?id=2662

            Bug ID: 2662
           Summary: Does it still make sense to use DSA host keys by
                    default?
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: cjwatson at debian.org

Despite the fact that the client disables DSA support by default since
OpenSSH 7.0, the server still includes it in the implicit list of host
keys used if you don't specify any HostKey options at all (which is the
default behaviour in the stock sshd_config).  This seems a bit odd. 
Would you consider removing it from the list in
fill_default_server_options, thereby requiring people who really need
it to specify it manually?  That would seem to be useful in further
discouraging the use of DSA.

Background for why I'm asking: https://bugs.debian.org/823827 requested
something similar, which at the time I handled only in the Debian
packaging scripts.  Recently I switched to doing a better job of
upgrading server configuration files and using something much closer to
the stock upstream sshd_config, which has resulted in
https://bugs.debian.org/850614, so I'm considering patching this out of
fill_default_server_options given that the Debian packaging scripts
ensure that all necessary host keys are generated so something newer
should always be available; but it seems worth asking if you have
serious qualms about that approach.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2017-Jan-16 14:47 UTC

head link

[Bug 2662] Does it still make sense to use DSA host keys by default?

https://bugzilla.mindrot.org/show_bug.cgi?id=2662

--- Comment #1 from Colin Watson <cjwatson at debian.org> ---
Created attachment 2930
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2930&action=edit
Remove ssh_host_dsa_key from HostKey default

Perhaps something like this?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2017-Nov-03 03:12 UTC

head link

[Bug 2662] Does it still make sense to use DSA host keys by default?

https://bugzilla.mindrot.org/show_bug.cgi?id=2662

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |2782

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Put this on the list. DSA isn't offered by default anyway.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
[Bug 2782] Tracking bug for OpenSSH 7.7 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2018-Feb-16 02:33 UTC

head link

[Bug 2662] Does it still make sense to use DSA host keys by default?

https://bugzilla.mindrot.org/show_bug.cgi?id=2662

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Applied - thanks

commit 88c50a5ae20902715f0fca306bb9c38514f71679 (HEAD -> master,
origin/master, origin/HEAD)
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Feb 16 02:32:40 2018 +0000

    upstream: stop loading DSA keys by default, remove sshd_config
    stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@

    OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at mindrot.org

2021-Apr-23 05:08 UTC

head link

[Bug 2662] Does it still make sense to use DSA host keys by default?

https://bugzilla.mindrot.org/show_bug.cgi?id=2662

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

Seemingly Similar Threads

Search for more apparently analagous threads

openssh bugs - Jan 2017 - [Bug 2662] New: Does it still make sense to use DSA host keys by default?

[Bug 2662] New: Does it still make sense to use DSA host keys by default?

[Bug 2662] Does it still make sense to use DSA host keys by default?

[Bug 2662] Does it still make sense to use DSA host keys by default?

[Bug 2662] Does it still make sense to use DSA host keys by default?

[Bug 2662] Does it still make sense to use DSA host keys by default?

Seemingly Similar Threads