Revision history [back]
 | 1 | initial version | posted 2015-09-01 11:46:10 +0200 |
Update OpenSSH from 5.6 & stop generating DSA host keys by default
Jolla's OpenSSH is currently in version 5.6 while the current upstream version is 7.1. It doesn't understand ECDSA or Ed25519 keys.
OpenSSH 7.0 also deprecates DSA keys which Jolla generates by default. I have disabled them on my Jolla, but they are still generated by default and the only supported option left is RSA. While RSA keys don't have known issues yet, I would prefer to have more secure alternatives available so in case it suffers security issues in the future I can simply disable it and not have to generate other keys.
All my other SSHds have RSA and Ed25519 host keys as Arch wiki has a warning about ECDSA keys.
| | 2 | No.2 Revision |
Update OpenSSH from 5.6 & stop generating DSA host keys by default
Jolla's OpenSSH is currently in version 5.6 while the current upstream version is 7.1. It doesn't understand ECDSA or Ed25519 keys.
OpenSSH 7.0 also deprecates DSA keys which Jolla generates by default. I have disabled them on my Jolla, but they are still generated by default and the only supported option left is RSA. While RSA keys don't have known issues yet, I would prefer to have more secure alternatives available so in case it suffers security issues in the future I can simply disable it and not have to generate other keys.
All my other SSHds have RSA and Ed25519 host keys as Arch wiki has a warning about ECDSA keys.
EDIT1: Disabling DSA keys
I don't fully remember how was the default sshd_config for Jolla, but basically you become root with devel-su and edit /etc/ssh/sshd_config with your favourite text editor (vi is installed by default).
You will find lines starting with HostKey, uncomment them (I have faint memory of them being commented by default, but why?) and remove the one that talks about DSA so they only HostKey line you have left is HostKey /etc/ssh/ssh_host_rsa_key.
Then you can remove the DSA key, rm /etc/ssh/ssh_host_dsa_key* (someone, please verify that the key is called as that as I don't remember) and restart sshd with systemctl restart sshd. You will also want to check that sshd doen't fail to start with systemctl status sshd.
Now in case you used DSA key to identify to your Jolla, you will receive warning next time you connect about unknown RSA key and the fingerprint and asked to manually confirm it. However as far as I am aware all SSH clients prefer RSA over DSA anyway, so you shouldn't see it.
More on that systemctl status sshd, for me it says:
[root@synvaler nemo]# systemctl status -l sshd sshd.service - OpenSSH server daemon Loaded: loaded (/lib/systemd/system/sshd.service; disabled) Active: inactive (dead)
but works anyway, so I am not sure why it calls itself as inactive/dead. But the most important thing in it is that it doesn't say "Failed".
| | 3 | No.3 Revision |
Update OpenSSH from 5.6 & stop generating DSA host keys by default
Jolla's OpenSSH is currently in version 5.6 while the current upstream version is 7.1. It doesn't understand ECDSA or Ed25519 keys.
OpenSSH 7.0 also deprecates DSA keys which Jolla generates by default. I have disabled them on my Jolla, but they are still generated by default and the only supported option left is RSA. While RSA keys don't have known issues yet, I would prefer to have more secure alternatives available so in case it suffers security issues in the future I can simply disable it and not have to generate other keys.
All my other SSHds have RSA and Ed25519 host keys as Arch wiki has a warning about ECDSA keys.
EDIT1: Disabling DSA keys
I don't fully remember how was the default sshd_config for Jolla, but basically you become root with devel-su and edit /etc/ssh/sshd_config with your favourite text editor (vi is installed by default).
You will find lines starting with HostKey, uncomment them (I have faint memory of them being commented by default, but why?) and remove the one that talks about DSA so they only HostKey line you have left is HostKey /etc/ssh/ssh_host_rsa_key.
Then you can remove the DSA key, rm /etc/ssh/ssh_host_dsa_key* (someone, please verify that the key is called as that as I don't remember) and restart sshd with systemctl restart sshd. You will also want to check that sshd doen't fail to start with systemctl status .sshdsshd.socket
Now in case you used DSA key to identify to your Jolla, you will receive warning next time you connect about unknown RSA key and the fingerprint and asked to manually confirm it. However as far as I am aware all SSH clients prefer RSA over DSA anyway, so you shouldn't see it.
More on that systemctl status sshd, sshd.socket, for me it says:
[root@synvaler nemo]# systemctl status -lsshd sshd.servicesshd.socket sshd.socket - OpenSSHserver daemonServer Socket Loaded: loaded(/lib/systemd/system/sshd.service;(/lib/systemd/system/sshd.socket; disabled) Active: inactive(dead)(dead) since ti 2015-09-01 12:33:14 EEST; 1s ago Listen: [::]:22 (Stream) Accepted: 4; Connected: 2 syys 01 12:33:14 synvaler systemd[1]: Stopping OpenSSH Server Socket. syys 01 12:33:14 synvaler systemd[1]: Closed OpenSSH Server Socket. Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
but works anyway, so I am Edit2: you are supposed to check status of sshd.socket, not sure why it calls itself as inactive/dead. But the most important thing in it is that it doesn't say "Failed".sshd.service. (Thanks Yaniel at freenode)