Bug#481133: openssh-server: Would like to disable DSA entirely

To: 481133@bugs.debian.org
Cc: Sam Morris <sam@robots.org.uk>
Subject: Bug#481133: openssh-server: Would like to disable DSA entirely
From: Francesco Poli <frx@firenze.linux.it>
Date: Sun, 18 May 2008 19:14:41 +0200
Message-id: <[🔎] 20080518191441.14680ad2.frx@firenze.linux.it>
Reply-to: Francesco Poli <frx@firenze.linux.it>, 481133@bugs.debian.org
In-reply-to: <[🔎] 20080514012440.GL16645@riva.ucam.org>
References: <[🔎] 20080513231008.21481.3258.reportbug@xerces> <[🔎] 20080514012440.GL16645@riva.ucam.org>

On Wed, 14 May 2008 02:24:40 +0100 Colin Watson wrote:

> On Wed, May 14, 2008 at 12:10:08AM +0100, Sam Morris wrote:
> > Package: openssh-server
> > Version: 1:4.3p2-9
> > Severity: wishlist
> > 
> > I'd like to be able to disable the use of DSA for both host and client
> > authentication.

I agree with this wishlist bug.
There should be a way to disable DSA-public-key-based authentication
entirely (since DSA keys can be compromised by just being *used* on a
system with a broken PRNG in SSL, as explained in the recent
DSA-1571-1).

> 
> For host keys, you can just remove that host key from sshd_config.

I've just done so; I commented out the following line
in /etc/ssh/sshd_config on my boxes:

  #HostKey /etc/ssh/ssh_host_dsa_key

But, even after restarting ssh, users may still log in with their DSA
keys (as long as those keys are listed in their ~/.ssh/authorized_keys,
obviously).

I checked this by myself.
On a client box C, I have ~/.ssh/id_dsa.pub and ~/.ssh/id_dsa
On a server box S, I have the above id_dsa.pub inside
~/.ssh/authorized_keys
On S, /etc/ssh/sshd_config only has

  HostKey /etc/ssh/ssh_host_rsa_key

and no reference to the DSA host key.

Nonetheless, if I try to log in from C to S with my non-root user, I
can successfully authenticate and enter.  S uses its RSA host key, but
my user on C uses my DSA key and logs in happily...

> It's
> true that there's (as far as I know) no way to do this for user keys yet
> though.

I think there should be a way to configure the OpenSSH server so that it
refuses DSA-public-key-based authentication, just like there's a way to
disable password-based authentication.

Configuring the client is no solution, since non-root users are always
allowed to override system-wide OpenSSH client configuration (and there
are good reasons for allowing this) and since you cannot be sure about
client box configuration whenever you do not administer it.

-- 
 http://frx.netsons.org/doc/index.html#nanodocs
 The nano-document series is here!
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

Attachment: pgp6SVWMB74E1.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#481133: openssh-server: Would like to disable DSA entirely
  - From: Colin Watson <cjwatson@debian.org>

References:
- Bug#481133: openssh-server: Would like to disable DSA entirely
  - From: Sam Morris <sam@robots.org.uk>
- Bug#481133: openssh-server: Would like to disable DSA entirely
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#481781: openssh : [INTL:pt] Updated Portuguese translation for debconf messages
Next by Date: openssh_4.3p2-9etch2_hppa.changes UNACCEPT
Previous by thread: Bug#481133: openssh-server: Would like to disable DSA entirely
Next by thread: Bug#481133: openssh-server: Would like to disable DSA entirely
Index(es):
- Date
- Thread