Ask / Submit
28

Update OpenSSH from 5.6 & stop generating DSA host keys by default

asked 2015-09-01 11:46:10 +0200

Mikaela gravatar image

updated 2015-09-01 12:34:51 +0200

Jolla's OpenSSH is currently in version 5.6 while the current upstream version is 7.1. It doesn't understand ECDSA or Ed25519 keys.

OpenSSH 7.0 also deprecates DSA keys which Jolla generates by default. I have disabled them on my Jolla, but they are still generated by default and the only supported option left is RSA. While RSA keys don't have known issues yet, I would prefer to have more secure alternatives available so in case it suffers security issues in the future I can simply disable it and not have to generate other keys.

All my other SSHds have RSA and Ed25519 host keys as Arch wiki has a warning about ECDSA keys.


EDIT1: Disabling DSA keys

I don't fully remember how was the default sshd_config for Jolla, but basically you become root with devel-su and edit /etc/ssh/sshd_config with your favourite text editor (vi is installed by default).

You will find lines starting with HostKey, uncomment them (I have faint memory of them being commented by default, but why?) and remove the one that talks about DSA so they only HostKey line you have left is HostKey /etc/ssh/ssh_host_rsa_key.

Then you can remove the DSA key, rm /etc/ssh/ssh_host_dsa_key* (someone, please verify that the key is called as that as I don't remember) and restart sshd with systemctl restart sshd. You will also want to check that sshd doen't fail to start with systemctl status sshd.socket.

Now in case you used DSA key to identify to your Jolla, you will receive warning next time you connect about unknown RSA key and the fingerprint and asked to manually confirm it. However as far as I am aware all SSH clients prefer RSA over DSA anyway, so you shouldn't see it.

More on that systemctl status sshd.socket, for me it says:

[root@synvaler nemo]# systemctl status -l sshd.socket
sshd.socket - OpenSSH Server Socket
   Loaded: loaded (/lib/systemd/system/sshd.socket; disabled)
   Active: inactive (dead) since ti 2015-09-01 12:33:14 EEST; 1s ago
   Listen: [::]:22 (Stream)
 Accepted: 4; Connected: 2

syys 01 12:33:14 synvaler systemd[1]: Stopping OpenSSH Server Socket.
syys 01 12:33:14 synvaler systemd[1]: Closed OpenSSH Server Socket.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

Edit2: you are supposed to check status of sshd.socket, not sshd.service. (Thanks Yaniel at freenode)

edit retag flag offensive close delete

Comments

4

good note!

maybe you could add small how-to about disabling dsa keys?

virgi26 ( 2015-09-01 12:06:02 +0200 )edit
2

Done. Hopefully I make sense with it :)

Mikaela ( 2015-09-01 12:20:23 +0200 )edit
1

OpenSSH is (of course) BSD licensed, so Jollas GPLv2-only policy, which is holding up updates to many core OS components, should not be an issues here.

MartinK ( 2015-09-01 16:25:47 +0200 )edit
1

I opened merge request about disabling DSA host key generation, but I don't have skills for anything else.

Mikaela ( 2015-09-05 11:54:05 +0200 )edit
1

@Mikaela good job!

virgi26 ( 2015-09-05 16:27:23 +0200 )edit

1 Answer

Sort by » oldest newest most voted
6

answered 2015-09-22 14:50:24 +0200

tigeli gravatar image

openssh has now been updated to 7.1p1 (https://github.com/mer-packages/openssh), however the old dsa-keys are not yet deleted automatically but if user deletes them no new dsa-keys are generated.

edit flag offensive delete publish link more

Comments

1

Does the default config use them?

Mikaela ( 2015-09-22 16:23:08 +0200 )edit

The default config does not define what host keys to use, so it is up to sshd itself to decide what to use and therefore the dsa-keys will be used if they exists.

tigeli ( 2015-09-23 16:05:51 +0200 )edit

So, when Jolla is going to have this version by default? Sailfish OS 2.0.0.10 still has OpenSSH_5.6p1.

Orzech ( 2015-11-16 03:58:36 +0200 )edit
Login/Signup to Answer

Question tools

Follow
5 followers

Stats

Asked: 2015-09-01 11:46:10 +0200

Seen: 1,488 times

Last updated: Sep 22 '15