From cc4e0d4d63eb9c036f45ccdd05db54d16c5cdc7c Mon Sep 17 00:00:00 2001 From: "Kyle J. McKay" Date: Wed, 8 Jul 2020 22:11:20 -0700 Subject: [PATCH] Config.pm: elaborate on disable_dsa and newer OpenSSH versions Newer versions of the OpenSSH server software require this line: PubkeyAcceptedKeyTypes +ssh-dss be added to the sshd_config file before they will accept any "ssh-dss" (aka dsa) public keys. Mention that if the recommended default of `$disable_dsa = 1;` is changed (i.e. set to 0), then the above line must be manually added to the `$chroot/j/etc/ssh/sshd_config` file or "ssh-dss" keys will still not be accepted. It would be possible to grep the `sshd` binary for the string "pubkeyacceptedkeytypes" at jail setup time and automatically add the above line to the sshd_config if `$disable_dsa = 0;` was in effect when the jail's initial `sshd_config` file was generated. However, there's a very good reason that dsa keys have been disabled in the OpenSSH server software by default -- they are widely recognized as too insecure at this point in time. Therefore, do add the comment explaining what has to be done to re-enable dsa keys, but do NOT do it automatically even if dsa keys are not disabled in the "Config.pm" file. Signed-off-by: Kyle J. McKay --- Girocco/Config.pm | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/Girocco/Config.pm b/Girocco/Config.pm index 044bb64..5ad955e 100644 --- a/Girocco/Config.pm +++ b/Girocco/Config.pm @@ -181,22 +181,37 @@ our $manage_users = 1; our $min_key_length = 3072; # Disable DSA public keys? +# # If this is set to 1, adding DSA keys at reguser.cgi/edituser.cgi time will be # prohibited. If $pushurl is undef then this is implicitly set to 1 since DSA # keys are not usable with https push. +# # OpenSSH will only generate 1024 bit DSA keys starting with version 4.3p1. # Even if OpenSSL is used to generate a longer DSA key (which can then be used # with OpenSSH), the SSH protocol itself still forces use of SHA-1 in the DSA # signature blob which tends to defeat the purpose of going to a longer key in # the first place. So it may be better from a security standpoint to simply # disable DSA keys especially if $min_key_length and $rsakeylength have been set -# to something higher such as 3072 or 4096. This setting is only checked when -# new keys are added so setting it/increasing it will not affect existing keys. -# There is no way to disable DSA keys in the OpenSSH server config file itself. +# to something higher such as 3072 or 4096. +# +# This setting is only checked when new keys are added so changing it will not +# affect existing keys. There is no way to disable DSA keys in the sshd_config +# file of older versions of the OpenSSH server, but newer versions of OpenSSH +# WILL DISABLE DSA KEYS BY DEFAULT! +# +# IMPORTANT: If you do enable DSA keys ($disable_dsa is set to 0) and you are +# using a more recent version of the OpenSSH server software in the +# chroot jail, you MUST manually ADD the following line +# (the "+" IS REQUIRED) to the $chroot/j/etc/ssh/sshd_config file +# otherwise dsa keys WILL NOT BE ACCEPTED! +# +# PubkeyAcceptedKeyTypes +ssh-dss +# # If this is set to 1, no ssh_host_dsa_key will be generated or used with the # sshd running in the jail (but if the sshd_config has already been generated # in the jail, it must be removed and 'sudo make install' run again or otherwise # the sshd_config needs to be edited by hand for the change to take effect). +# # RECOMMENDED VALUE: 1 our $disable_dsa = 1; -- 2.11.4.GIT