| commit | cc4e0d4d63eb9c036f45ccdd05db54d16c5cdc7c | |
| author | Kyle J. McKay <mackyle@gmail.com> | |
| Thu, 9 Jul 2020 05:11:20 +0000 (8 22:11 -0700) | ||
| committer | Kyle J. McKay <mackyle@gmail.com> | |
| Thu, 9 Jul 2020 05:11:20 +0000 (8 22:11 -0700) | ||
| tree | bfe74564be72246deadf5281b8f563f4e093418e | treesnapshot (tar.gz zip) |
| parent | f5c65b81911dc99f0a249d90c629c44d8cbe29aa | commitdiff |
Config.pm: elaborate on disable_dsa and newer OpenSSH versions
Newer versions of the OpenSSH server software require this line:
PubkeyAcceptedKeyTypes +ssh-dss
be added to the sshd_config file before they will accept any
"ssh-dss" (aka dsa) public keys.
Mention that if the recommended default of `$disable_dsa = 1;` is
changed (i.e. set to 0), then the above line must be manually added
to the `$chroot/j/etc/ssh/sshd_config` file or "ssh-dss" keys will
still not be accepted.
It would be possible to grep the `sshd` binary for the string
"pubkeyacceptedkeytypes" at jail setup time and automatically add
the above line to the sshd_config if `$disable_dsa = 0;` was in
effect when the jail's initial `sshd_config` file was generated.
However, there's a very good reason that dsa keys have been disabled
in the OpenSSH server software by default -- they are widely
recognized as too insecure at this point in time.
Therefore, do add the comment explaining what has to be done to
re-enable dsa keys, but do NOT do it automatically even if dsa keys
are not disabled in the "Config.pm" file.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Newer versions of the OpenSSH server software require this line:
PubkeyAcceptedKeyTypes +ssh-dss
be added to the sshd_config file before they will accept any
"ssh-dss" (aka dsa) public keys.
Mention that if the recommended default of `$disable_dsa = 1;` is
changed (i.e. set to 0), then the above line must be manually added
to the `$chroot/j/etc/ssh/sshd_config` file or "ssh-dss" keys will
still not be accepted.
It would be possible to grep the `sshd` binary for the string
"pubkeyacceptedkeytypes" at jail setup time and automatically add
the above line to the sshd_config if `$disable_dsa = 0;` was in
effect when the jail's initial `sshd_config` file was generated.
However, there's a very good reason that dsa keys have been disabled
in the OpenSSH server software by default -- they are widely
recognized as too insecure at this point in time.
Therefore, do add the comment explaining what has to be done to
re-enable dsa keys, but do NOT do it automatically even if dsa keys
are not disabled in the "Config.pm" file.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
| Girocco/Config.pm | diffblobblamehistory |