[Nix-dev] SECURITY: default SSH host keys are weak
I has been brought to our attention that the host keys created by the default SSH daemon configuration are too weak. Fix: If you don't care about compatibility with old and broken software: services.openssh.hostKeyType = ecdsa521; Otherwise: services.openssh.hostKeyType = rsa3072; Attempts to log into the host will cause SSH to complain about the key change. If you had anything that relies on passwordless logins, it will break. I have added a check for weak keys to sshd startup script: f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2 I'll wait a couple of days and then change the hostKeyType default. Or maybe it should be done sooner? ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Or raise an exception unless a new option such as allowWeakKeyTypes is set to true. There is a way to write assertions, grep for assertion in nixos. I'd like to to see such issues treated seriously and force the right thing unless the admin really opts out. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
I am in favor of changing the default key type to something stronger than 1024 bit DSA for newly generated keys. I do not want any of my existing keys re-generated or replaced, though. Can the change in NixOS be made in such a way that accomplishs this? Peter ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Hi, On 23/08/13 18:05, Peter Simons wrote: I am in favor of changing the default key type to something stronger than 1024 bit DSA for newly generated keys. I do not want any of my existing keys re-generated or replaced, though. Can the change in NixOS be made in such a way that accomplishs this? We can just generate an ECDSA key in addition to the DSA key, which is in fact what upstream's make host-key does. I suggest we apply the attached patch that does that. It's completely backwards compatible in that it will generate an ECDSA host key on systems that don't have one, while clients that have the DSA key in their known_hosts will continue to use that. (It also drops the configurability of the host key type since that doesn't support having multiple host keys.) -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix index 0c70ebd..7fd6bab 100644 --- a/modules/services/networking/ssh/sshd.nix +++ b/modules/services/networking/ssh/sshd.nix @@ -15,29 +15,6 @@ let v == forced-commands-only || v == no; - hostKeyTypeNames = { -dsa1024 = dsa; # DSA has a key size limitation due to standards -rsa3072 = rsa; -ecdsa521 = ecdsa; - }; - - hostKeyTypeBits = { -dsa1024 = 1024; # =80 bits of security -rsa3072 = 3072; # =128 bits of security -ecdsa521 = 521; # =256 bits of security - }; - - # equivalent to 112 bit of security strength. Anything below this is very unsafe. - hostKeyTypeSafeBits = { -dsa1024 = 2048; -rsa3072 = 2048; -ecdsa521 = 255; - }; - - hktn = attrByPath [cfg.hostKeyType] (throw unknown host key type `${cfg.hostKeyType}') hostKeyTypeNames; - hktb = attrByPath [cfg.hostKeyType] (throw unknown host key type `${cfg.hostKeyType}') hostKeyTypeBits; - hktsb = attrByPath [cfg.hostKeyType] (throw unknown host key type `${cfg.hostKeyType}') hostKeyTypeSafeBits; - knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts); knownHostsFile = pkgs.writeText ssh_known_hosts ( @@ -176,25 +153,6 @@ in ''; }; - hostKeyType = mkOption { -default = dsa1024; -description = '' - Type of host key to generate (dsa1024/rsa3072/ecdsa521), if - the file specified by literalhostKeyPath/literal does not - exist when the service starts. -''; - }; - - hostKeyPath = mkOption { -default = /etc/ssh/ssh_host_${hktn}_key; -description = '' - Path to the server's private key. If there is no key file - on this path, it will be generated when the service is - started for the first time. Otherwise, the ssh daemon will - use the specified key directly in-place. -''; - }; - authorizedKeysFiles = mkOption { default = []; description = Files from with authorized keys are read.; @@ -286,21 +244,18 @@ in '' mkdir -m 0755 -p /etc/ssh -if ! test -f ${cfg.hostKeyPath}; then -ssh-keygen -t ${hktn} -b ${toString hktb} -f ${cfg.hostKeyPath} -N +if ! [ -f /etc/ssh/ssh_host_dsa_key ]; then +ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N fi -result=$(ssh-keygen -lf ${cfg.hostKeyPath}|awk '{ print ($1=${toString hktsb}?1:0)}') -if [ $result -ne 1 ]; then - ERROR=SECURITY ALERT: SSH Host Key is too weak. Generate a strong key NOW. - echo $ERROR - echo $ERROR /dev/console +if ! [ -f /etc/ssh/ssh_host_ecdsa_key ]; then +ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N fi ''; serviceConfig = { ExecStart = - ${pkgs.openssh}/sbin/sshd -h ${cfg.hostKeyPath} + + ${pkgs.openssh}/sbin/sshd + -f ${pkgs.writeText sshd_config cfg.extraConfig}; Restart = always; Type = forking; ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
I currently only have an ecdsa host key and would like to keep it that way. This patch would give me a dsa key too which I don't want. On Fri, Aug 23, 2013 at 7:28 PM, Eelco Dolstra eelco.dols...@logicblox.com wrote: Hi, On 23/08/13 18:05, Peter Simons wrote: I am in favor of changing the default key type to something stronger than 1024 bit DSA for newly generated keys. I do not want any of my existing keys re-generated or replaced, though. Can the change in NixOS be made in such a way that accomplishs this? We can just generate an ECDSA key in addition to the DSA key, which is in fact what upstream's make host-key does. I suggest we apply the attached patch that does that. It's completely backwards compatible in that it will generate an ECDSA host key on systems that don't have one, while clients that have the DSA key in their known_hosts will continue to use that. (It also drops the configurability of the host key type since that doesn't support having multiple host keys.) -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
I has been brought to our attention that the host keys created by the default SSH daemon configuration are too weak. Citation needed please. According to who are DSA keys bad? OpenSSH's own make host-key installs a DSA key (in addition to RSA and ECDSA keys). Section 2.1: 1024bit keys should be phased out by 2010 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009.pdf More recent revision 5.6.2: lists 1024bit DSA/RSA as weak: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Hi, On 23/08/13 20:25, Mathijs Kwik wrote: I currently only have an ecdsa host key and would like to keep it that way. This patch would give me a dsa key too which I don't want. The ssh client prefers ECDSA host keys over DSA keys so I don't think this is a big deal. But we could have an option to enable/disable generation of DSA keys. -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Hi, On 23/08/13 20:29, phree...@yandex.ru wrote: I has been brought to our attention that the host keys created by the default SSH daemon configuration are too weak. Citation needed please. According to who are DSA keys bad? OpenSSH's own make host-key installs a DSA key (in addition to RSA and ECDSA keys). Section 2.1: 1024bit keys should be phased out by 2010 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009.pdf More recent revision 5.6.2: lists 1024bit DSA/RSA as weak: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf That they deprecate generation of new 1024-bit DSA keys doesn't seem enough reason for us to print dire security warnings on the console. That's really something you should discuss with upstream. They're the crypto experts. -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
There probably is some MITM trick to force DSA. That will then indeed lead to a host changed warning in case the client has never used the dsa key before, so it probably won't hurt indeed. But an option to disable it would be better. Kind of like the hostKeyType we have now :) On Fri, Aug 23, 2013 at 8:36 PM, Eelco Dolstra eelco.dols...@logicblox.com wrote: Hi, On 23/08/13 20:25, Mathijs Kwik wrote: I currently only have an ecdsa host key and would like to keep it that way. This patch would give me a dsa key too which I don't want. The ssh client prefers ECDSA host keys over DSA keys so I don't think this is a big deal. But we could have an option to enable/disable generation of DSA keys. -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
I has been brought to our attention that the host keys created by the default SSH daemon configuration are too weak. Citation needed please. According to who are DSA keys bad? OpenSSH's own make host-key installs a DSA key (in addition to RSA and ECDSA keys). Section 2.1: 1024bit keys should be phased out by 2010 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-manag ement_Dec2009.pdf More recent revision 5.6.2: lists 1024bit DSA/RSA as weak: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_gene ral.pdf That they deprecate generation of new 1024-bit DSA keys doesn't seem enough reason for us to print dire security warnings on the console. That's really something you should discuss with upstream. They're the crypto experts. But upstream has been generating and prioritizing keys other than 1024bit DSA for some time already and it is NixOS implementation that forces DSA-only mode. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Hi, On 23/08/13 20:43, phree...@yandex.ru wrote: On 23/08/13 20:25, Mathijs Kwik wrote: I currently only have an ecdsa host key and would like to keep it that way. This patch would give me a dsa key too which I don't want. The ssh client prefers ECDSA host keys over DSA keys so I don't think this is a big deal. But we could have an option to enable/disable generation of DSA keys. I'd keep the path to the host keys configurable, maybe bump key sizes a little. Okay, I've now pushed a commit that does this (9771f0c96c87cf03519033df408ca309696a9469). It enables both ECDSA and DSA, but you can turn off the DSA key by saying: services.openssh.hostKeys = [ { path = /etc/ssh/ssh_host_ecdsa_key; type = ecdsa; bits = 521; } ]; If desired, we could also enable an RSA key by default. -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Looks good. Thanks! The ssh client prefers ECDSA host keys over DSA keys so I don't think this is a big deal. But we could have an option to enable/disable generation of DSA keys. I'd keep the path to the host keys configurable, maybe bump key sizes a little. Okay, I've now pushed a commit that does this (9771f0c96c87cf03519033df408ca309696a9469). It enables both ECDSA and DSA, but you can turn off the DSA key by saying: services.openssh.hostKeys = [ { path = /etc/ssh/ssh_host_ecdsa_key; type = ecdsa; bits = 521; } ]; If desired, we could also enable an RSA key by default. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev