Bug#773192: disable DSA key generation by default

2019-09-10 Thread Colin Watson 
On Mon, Dec 15, 2014 at 12:49:40PM +, Safar, Stefan wrote:
>Version: all

The version is relevant - you can't just say "all".  What version did
you encounter this bug in?

>During installation (or maybe the first startup, i’m not sure), the
>openssh-server generates 1024bit DSA keys.

As far as I can tell, no, it doesn't.  In a fresh unstable chroot:

  # apt install openssh-server
  [...]
  Setting up openssh-server (1:8.0p1-6) ...
  
  Creating config file /etc/ssh/sshd_config with new version
  Creating SSH2 RSA key; this may take some time ...
  3072 SHA256:CTOaHgFdYim5rV+9TsQNjcxXnghR4n0R7MQT0VkxClY root@niejwein (RSA)
  Creating SSH2 ECDSA key; this may take some time ...
  256 SHA256:yxBciZ3liGRuAIlZl0r06z0q4PWZJoQNd9/4yMwm/10 root@niejwein (ECDSA)
  Creating SSH2 ED25519 key; this may take some time ...
  256 SHA256:uAi+rvto2sRR7+OIM9tP5RWqVW1/M1elBv0Rchnw4Js root@niejwein (ED25519)
  [...]
  # ls -l /etc/ssh
  total 596
  -rw-r--r-- 1 root root 577325 Aug 28 10:53 moduli
  -rw-r--r-- 1 root root   1565 Aug 28 10:53 ssh_config
  -rw--- 1 root root505 Sep 10 14:59 ssh_host_ecdsa_key
  -rw-r--r-- 1 root root175 Sep 10 14:59 ssh_host_ecdsa_key.pub
  -rw--- 1 root root399 Sep 10 14:59 ssh_host_ed25519_key
  -rw-r--r-- 1 root root 95 Sep 10 14:59 ssh_host_ed25519_key.pub
  -rw--- 1 root root   2602 Sep 10 14:59 ssh_host_rsa_key
  -rw-r--r-- 1 root root567 Sep 10 14:59 ssh_host_rsa_key.pub
  -rw-r--r-- 1 root root   3250 Aug 28 10:53 sshd_config

The packaging will only generate a DSA host key if you have a HostKey
line in /etc/ssh/sshd_config which explicitly requires it; there is no
such line in the default configuration.

>This bug is somehow related to
>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481133 , but it’s not a
>duplicate.

However, I think it likely is a duplicate of #823827, which was fixed in
1:7.2p2-6 (before stretch).  This is why it's relevant which version you
encountered this bug in and whether you have any local customisations,
because if it's a more recent version than that then we need to
investigate further.

Regards,

-- 
Colin Watson   [cjwat...@debian.org]

Bug#773192: disable DSA key generation by default

2014-12-15 Thread Safar, Stefan 
Package: openssh-server
Version: all

During installation (or maybe the first startup, i'm not sure), the 
openssh-server generates 1024bit DSA keys. This key length is no longer 
considered secure and therefore should be disabled, or created with a longer 
key length.

However, not all SSH implementations support DSA keys longer than 1024 bits, so 
i suggest disabling DSA key generation.

According to NIST, 1024 bit keys are disallowed after 2013, see: 
http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf


This bug is somehow related to 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481133 , but it's not a 
duplicate.

Thank you,

Stefan Safar