Update OpenSSH from 5.6 & stop generating DSA host keys by default
asked 2015-09-01 11:46:10 +0200
Jolla's OpenSSH is currently in version 5.6 while the current upstream version is 7.1. It doesn't understand ECDSA or Ed25519 keys.
OpenSSH 7.0 also deprecates DSA keys which Jolla generates by default. I have disabled them on my Jolla, but they are still generated by default and the only supported option left is RSA. While RSA keys don't have known issues yet, I would prefer to have more secure alternatives available so in case it suffers security issues in the future I can simply disable it and not have to generate other keys.
All my other SSHds have RSA and Ed25519 host keys as Arch wiki has a warning about ECDSA keys.
EDIT1: Disabling DSA keys
I don't fully remember how was the default sshd_config for Jolla, but basically you become root with devel-su and edit /etc/ssh/sshd_config with your favourite text editor (vi is installed by default).
You will find lines starting with HostKey, uncomment them (I have faint memory of them being commented by default, but why?) and remove the one that talks about DSA so they only HostKey line you have left is HostKey /etc/ssh/ssh_host_rsa_key.
Then you can remove the DSA key, rm /etc/ssh/ssh_host_dsa_key* (someone, please verify that the key is called as that as I don't remember) and restart sshd with systemctl restart sshd. You will also want to check that sshd doen't fail to start with systemctl status sshd.socket.
Now in case you used DSA key to identify to your Jolla, you will receive warning next time you connect about unknown RSA key and the fingerprint and asked to manually confirm it. However as far as I am aware all SSH clients prefer RSA over DSA anyway, so you shouldn't see it.
More on that systemctl status sshd.socket, for me it says:
[root@synvaler nemo]# systemctl status -l sshd.socket sshd.socket - OpenSSH Server Socket Loaded: loaded (/lib/systemd/system/sshd.socket; disabled) Active: inactive (dead) since ti 2015-09-01 12:33:14 EEST; 1s ago Listen: [::]:22 (Stream) Accepted: 4; Connected: 2 syys 01 12:33:14 synvaler systemd[1]: Stopping OpenSSH Server Socket. syys 01 12:33:14 synvaler systemd[1]: Closed OpenSSH Server Socket. Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
Edit2: you are supposed to check status of sshd.socket, not sshd.service. (Thanks Yaniel at freenode)
good note!
maybe you could add small how-to about disabling dsa keys?
virgi26 ( 2015-09-01 12:06:02 +0200 )editDone. Hopefully I make sense with it :)
Mikaela ( 2015-09-01 12:20:23 +0200 )editOpenSSH is (of course) BSD licensed, so Jollas GPLv2-only policy, which is holding up updates to many core OS components, should not be an issues here.
MartinK ( 2015-09-01 16:25:47 +0200 )editI opened merge request about disabling DSA host key generation, but I don't have skills for anything else.
- https://git.merproject.org/mer-core/openssh/merge_requests/1
Mikaela ( 2015-09-05 11:54:05 +0200 )edit@Mikaela good job!
virgi26 ( 2015-09-05 16:27:23 +0200 )edit