Bug 2662

Summary:

Does it still make sense to use DSA host keys by default?

Product:

Portable OpenSSH

Reporter:

Colin Watson <cjwatson>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

enhancement

CC:

djm

Priority:

Version:

7.4p1

Hardware:

Other

OS:

Linux

Bug Depends on:

Bug Blocks:

2782

Attachments:

Description	Flags
Remove ssh_host_dsa_key from HostKey default	none

Description Colin Watson 2017-01-09 05:45:12 AEDT

Despite the fact that the client disables DSA support by default since OpenSSH 7.0, the server still includes it in the implicit list of host keys used if you don't specify any HostKey options at all (which is the default behaviour in the stock sshd_config).  This seems a bit odd.  Would you consider removing it from the list in fill_default_server_options, thereby requiring people who really need it to specify it manually?  That would seem to be useful in further discouraging the use of DSA.

Background for why I'm asking: https://bugs.debian.org/823827 requested something similar, which at the time I handled only in the Debian packaging scripts.  Recently I switched to doing a better job of upgrading server configuration files and using something much closer to the stock upstream sshd_config, which has resulted in https://bugs.debian.org/850614, so I'm considering patching this out of fill_default_server_options given that the Debian packaging scripts ensure that all necessary host keys are generated so something newer should always be available; but it seems worth asking if you have serious qualms about that approach.

Comment 1 Colin Watson 2017-01-17 01:47:01 AEDT

Created attachment 2930 [details]
Remove ssh_host_dsa_key from HostKey default

Perhaps something like this?

Comment 2 Damien Miller 2017-11-03 14:12:54 AEDT

Put this on the list. DSA isn't offered by default anyway.

Comment 3 Damien Miller 2018-02-16 13:33:35 AEDT

Applied - thanks

commit 88c50a5ae20902715f0fca306bb9c38514f71679 (HEAD -> master, origin/master, origin/HEAD)
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Feb 16 02:32:40 2018 +0000

    upstream: stop loading DSA keys by default, remove sshd_config
    stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@
    
    OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09

Comment 4 Damien Miller 2021-04-23 15:08:47 AEST

closing resolved bugs as of 8.6p1 release