[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#773192: marked as done (disable DSA key generation by default)

Your message dated Tue, 10 Sep 2019 15:06:42 +0100
with message-id <20190910140642.GA11396@riva.ucam.org>
and subject line Re: Bug#773192: disable DSA key generation by default
has caused the Debian Bug report #773192,
regarding disable DSA key generation by default
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
773192: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773192
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---

Package: openssh-server

Version: all

 

During installation (or maybe the first startup, i’m not sure), the openssh-server generates 1024bit DSA keys. This key length is no longer considered secure and therefore should be disabled, or created with a longer key length.


However, not all SSH implementations support DSA keys longer than 1024 bits, so i suggest disabling DSA key generation.

 

According to NIST, 1024 bit keys are disallowed after 2013, see: http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

 

 

This bug is somehow related to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481133 , but it’s not a duplicate.

 

Thank you,


Stefan Safar


--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:7.2p2-6

On Tue, Sep 10, 2019 at 03:04:49PM +0100, Colin Watson wrote:
> However, I think it likely is a duplicate of #823827, which was fixed in
> 1:7.2p2-6 (before stretch).  This is why it's relevant which version you
> encountered this bug in and whether you have any local customisations,
> because if it's a more recent version than that then we need to
> investigate further.

Err, sorry, I didn't notice that yours was an older email that popped up
at the end of my inbox due to a spam message in the same thread!  In
that case, this is fixed in 1:7.2p2-6 as follows:

openssh (1:7.2p2-6) unstable; urgency=medium

  * debian/watch: Switch to HTTP (thanks, Nicholas Luedtke; closes:
    #822997).
  * Copy summary of supported SFTP protocol versions from upstream's
    PROTOCOL file into the openssh-sftp-server package description (closes:
    #766887).
  * Set SSH_PROGRAM=/usr/bin/ssh1 when building openssh-client-ssh1 so that
    scp1 works (reported by Olivier MATZ).
  * Retroactively add a NEWS.Debian entry for the UseDNS change in 6.9 (see
    LP #1588457).
  * CVE-2016-6210: Mitigate user enumeration via covert timing channel
    (closes: #831902).
  * Backport upstream patch to close ControlPersist background process
    stderr when not in debug mode or when logging to a file or syslog
    (closes: #714526).
  * Add a session cleanup script and a systemd unit file to trigger it,
    which serves to terminate SSH sessions cleanly if systemd doesn't do
    that itself, often because libpam-systemd is not installed (thanks,
    Vivek Das Mohapatra, Tom Hutter, and others; closes: #751636).
  * Stop generating DSA host keys by default (thanks, Santiago Vila; closes:
    #823827).

 -- Colin Watson <cjwatson@debian.org>  Fri, 22 Jul 2016 17:06:19 +0100

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---
Reply to: