Bug#773192: disable DSA key generation by default

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#773192: disable DSA key generation by default

Safar, Stefan

Package: openssh-server

Version: all

 

During installation (or maybe the first startup, i’m not sure), the openssh-server generates 1024bit DSA keys. This key length is no longer considered secure and therefore should be disabled, or created with a longer key length.


However, not all SSH implementations support DSA keys longer than 1024 bits, so i suggest disabling DSA key generation.

 

According to NIST, 1024 bit keys are disallowed after 2013, see: http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

 

 

This bug is somehow related to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481133 , but it’s not a duplicate.

 

Thank you,


Stefan Safar

Reply | Threaded
Open this post in threaded view
|

Bug#773192: marked as done (disable DSA key generation by default)

Debian Bug Tracking System
Your message dated Tue, 10 Sep 2019 15:06:42 +0100
with message-id <[hidden email]>
and subject line Re: Bug#773192: disable DSA key generation by default
has caused the Debian Bug report #773192,
regarding disable DSA key generation by default
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [hidden email]
immediately.)


--
773192: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773192
Debian Bug Tracking System
Contact [hidden email] with problems

Package: openssh-server

Version: all

 

During installation (or maybe the first startup, i’m not sure), the openssh-server generates 1024bit DSA keys. This key length is no longer considered secure and therefore should be disabled, or created with a longer key length.


However, not all SSH implementations support DSA keys longer than 1024 bits, so i suggest disabling DSA key generation.

 

According to NIST, 1024 bit keys are disallowed after 2013, see: http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

 

 

This bug is somehow related to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481133 , but it’s not a duplicate.

 

Thank you,


Stefan Safar


Source: openssh
Source-Version: 1:7.2p2-6

On Tue, Sep 10, 2019 at 03:04:49PM +0100, Colin Watson wrote:
> However, I think it likely is a duplicate of #823827, which was fixed in
> 1:7.2p2-6 (before stretch).  This is why it's relevant which version you
> encountered this bug in and whether you have any local customisations,
> because if it's a more recent version than that then we need to
> investigate further.

Err, sorry, I didn't notice that yours was an older email that popped up
at the end of my inbox due to a spam message in the same thread!  In
that case, this is fixed in 1:7.2p2-6 as follows:

openssh (1:7.2p2-6) unstable; urgency=medium

  * debian/watch: Switch to HTTP (thanks, Nicholas Luedtke; closes:
    #822997).
  * Copy summary of supported SFTP protocol versions from upstream's
    PROTOCOL file into the openssh-sftp-server package description (closes:
    #766887).
  * Set SSH_PROGRAM=/usr/bin/ssh1 when building openssh-client-ssh1 so that
    scp1 works (reported by Olivier MATZ).
  * Retroactively add a NEWS.Debian entry for the UseDNS change in 6.9 (see
    LP #1588457).
  * CVE-2016-6210: Mitigate user enumeration via covert timing channel
    (closes: #831902).
  * Backport upstream patch to close ControlPersist background process
    stderr when not in debug mode or when logging to a file or syslog
    (closes: #714526).
  * Add a session cleanup script and a systemd unit file to trigger it,
    which serves to terminate SSH sessions cleanly if systemd doesn't do
    that itself, often because libpam-systemd is not installed (thanks,
    Vivek Das Mohapatra, Tom Hutter, and others; closes: #751636).
  * Stop generating DSA host keys by default (thanks, Santiago Vila; closes:
    #823827).

 -- Colin Watson <[hidden email]>  Fri, 22 Jul 2016 17:06:19 +0100

Thanks,

--
Colin Watson                                       [[hidden email]]