Remove ssh_host_dsa_key from HostKey default (closes: #850614).

author: Colin Watson <cjwatson@debian.org> 2017-01-16 13:58:16 +0000
committer: Colin Watson <cjwatson@debian.org> 2017-01-16 13:58:19 +0000
commit: d85ee41ea27ccceb97f1fb042f8efc94514e0948 (patch)
tree: 1407b12337b607c2191922f7729c18132b6438bd
parent: fb87db8aa47d3508be8e5bb1d21897fa1f2eca90 (diff)
parent: 79d4110c92f82de854b10b2d96df9daaaaeaec3a (diff)
8 files changed, 93 insertions, 13 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 53fbcd41e..6f9925b66 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-e346421ca6852fbf9f95cf0e764ecc345e5ce21d
+79d4110c92f82de854b10b2d96df9daaaaeaec3a
-e346421ca6852fbf9f95cf0e764ecc345e5ce21d
+79d4110c92f82de854b10b2d96df9daaaaeaec3a
 971a7653746a6972b907dfe0ce139c06e4a6f482
 971a7653746a6972b907dfe0ce139c06e4a6f482
 openssh_7.4p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index a7a936707..a65e90c78 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ openssh (1:7.4p1-6) UNRELEASED; urgency=medium
    gone.
  * Document sshd_config changes that may be needed following the removal of
    protocol 1 support from sshd (closes: #851573).
+  * Remove ssh_host_dsa_key from HostKey default (closes: #850614).
 -- Colin Watson <cjwatson@debian.org>  Fri, 06 Jan 2017 08:40:14 +0000
diff --git a/debian/patches/no-dsa-host-key-by-default.patch b/debian/patches/no-dsa-host-key-by-default.patch
new file mode 100644
index 000000000..cd5bd34a4
--- /dev/null
+++ b/debian/patches/no-dsa-host-key-by-default.patch
@@ -0,0 +1,83 @@
+From 79d4110c92f82de854b10b2d96df9daaaaeaec3a Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Mon, 16 Jan 2017 13:53:04 +0000
+Subject: Remove ssh_host_dsa_key from HostKey default
+The client no longer accepts DSA host keys, and servers using the
+default HostKey setting should have better host keys available.
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662
+Bug-Debian: https://bugs.debian.org/850614
+Last-Update: 2017-01-16
+Patch-Name: no-dsa-host-key-by-default.patch
+---
+ servconf.c    | 2 --
+ sshd.8        | 7 +++----
+ sshd_config   | 1 -
+ sshd_config.5 | 7 +++----
+ 4 files changed, 6 insertions(+), 11 deletions(-)
+diff --git a/servconf.c b/servconf.c
+index 1cee3d6c..202c4506 100644
+--- a/servconf.c
+++ b/servconf.c
+@@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options)
+                /* fill default hostkeys for protocols */
+                options->host_key_files[options->num_host_key_files++] =
+                    _PATH_HOST_RSA_KEY_FILE;
+-               options->host_key_files[options->num_host_key_files++] =
+-                   _PATH_HOST_DSA_KEY_FILE;
+ #ifdef OPENSSL_HAS_ECC
+                options->host_key_files[options->num_host_key_files++] =
+                    _PATH_HOST_ECDSA_KEY_FILE;
+diff --git a/sshd.8 b/sshd.8
+index 38a72540..e8f1fde8 100644
+--- a/sshd.8
+++ b/sshd.8
+@@ -167,11 +167,10 @@ This option must be given if
+ is not run as root (as the normal
+ host key files are normally not readable by anyone but root).
+ The default is
+-.Pa /etc/ssh/ssh_host_dsa_key ,
+-.Pa /etc/ssh/ssh_host_ecdsa_key ,
+-.Pa /etc/ssh/ssh_host_ed25519_key
+.Pa /etc/ssh/ssh_host_rsa_key ,
+.Pa /etc/ssh/ssh_host_ecdsa_key
+ and
+-.Pa /etc/ssh/ssh_host_rsa_key .
+.Pa /etc/ssh/ssh_host_ed25519_key .
+ It is possible to have multiple host key files for
+ the different host key algorithms.
+ .It Fl i
+diff --git a/sshd_config b/sshd_config
+index 13cbe2c6..4aea6c72 100644
+--- a/sshd_config
+++ b/sshd_config
+@@ -16,7 +16,6 @@
+ #ListenAddress ::
+ 
+ #HostKey /etc/ssh/ssh_host_rsa_key
+-#HostKey /etc/ssh/ssh_host_dsa_key
+ #HostKey /etc/ssh/ssh_host_ecdsa_key
+ #HostKey /etc/ssh/ssh_host_ed25519_key
+ 
+diff --git a/sshd_config.5 b/sshd_config.5
+index 703a9cdd..8f8fbb66 100644
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -733,11 +733,10 @@ is not to load any certificates.
+ Specifies a file containing a private host key
+ used by SSH.
+ The defaults are
+-.Pa /etc/ssh/ssh_host_dsa_key ,
+-.Pa /etc/ssh/ssh_host_ecdsa_key ,
+-.Pa /etc/ssh/ssh_host_ed25519_key
+.Pa /etc/ssh/ssh_host_rsa_key ,
+.Pa /etc/ssh/ssh_host_ecdsa_key
+ and
+-.Pa /etc/ssh/ssh_host_rsa_key .
+.Pa /etc/ssh/ssh_host_ed25519_key .
+ .Pp
+ Note that
+ .Xr sshd 8
diff --git a/debian/patches/series b/debian/patches/series
index 7edc511b8..6eae81080 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,4 @@ regress-integrity-robust.patch
 regress-forwarding-race.patch
 regress-mktemp.patch
 sandbox-x32-workaround.patch
+no-dsa-host-key-by-default.patch
diff --git a/servconf.c b/servconf.c
index 1cee3d6c2..202c45066 100644
--- a/servconf.c
+++ b/servconf.c
@@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options)
                /* fill default hostkeys for protocols */
                options->host_key_files[options->num_host_key_files++] =
                    _PATH_HOST_RSA_KEY_FILE;
-                options->host_key_files[options->num_host_key_files++] =
-                    _PATH_HOST_DSA_KEY_FILE;
 #ifdef OPENSSL_HAS_ECC
                options->host_key_files[options->num_host_key_files++] =
                    _PATH_HOST_ECDSA_KEY_FILE;
diff --git a/sshd.8 b/sshd.8
index 38a72540d..e8f1fde8c 100644
--- a/sshd.8
+++ b/sshd.8
@@ -167,11 +167,10 @@ This option must be given if
 is not run as root (as the normal
 host key files are normally not readable by anyone but root).
 The default is
-.Pa /etc/ssh/ssh_host_dsa_key ,
+.Pa /etc/ssh/ssh_host_rsa_key ,
-.Pa /etc/ssh/ssh_host_ecdsa_key ,
+.Pa /etc/ssh/ssh_host_ecdsa_key
-.Pa /etc/ssh/ssh_host_ed25519_key
 and
-.Pa /etc/ssh/ssh_host_rsa_key .
+.Pa /etc/ssh/ssh_host_ed25519_key .
 It is possible to have multiple host key files for
 the different host key algorithms.
 .It Fl i
diff --git a/sshd_config b/sshd_config
index 13cbe2c66..4aea6c729 100644
--- a/sshd_config
+++ b/sshd_config
@@ -16,7 +16,6 @@
 #ListenAddress ::
 #HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
diff --git a/sshd_config.5 b/sshd_config.5
index 703a9cddc..8f8fbb66d 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -733,11 +733,10 @@ is not to load any certificates.
 Specifies a file containing a private host key
 used by SSH.
 The defaults are
-.Pa /etc/ssh/ssh_host_dsa_key ,
+.Pa /etc/ssh/ssh_host_rsa_key ,
-.Pa /etc/ssh/ssh_host_ecdsa_key ,
+.Pa /etc/ssh/ssh_host_ecdsa_key
-.Pa /etc/ssh/ssh_host_ed25519_key
 and
-.Pa /etc/ssh/ssh_host_rsa_key .
+.Pa /etc/ssh/ssh_host_ed25519_key .
 .Pp
 Note that
 .Xr sshd 8
author	Colin Watson <cjwatson@debian.org>	2017-01-16 13:58:16 +0000
committer	Colin Watson <cjwatson@debian.org>	2017-01-16 13:58:19 +0000
commit	d85ee41ea27ccceb97f1fb042f8efc94514e0948 (patch)
tree	1407b12337b607c2191922f7729c18132b6438bd
parent	fb87db8aa47d3508be8e5bb1d21897fa1f2eca90 (diff)
parent	79d4110c92f82de854b10b2d96df9daaaaeaec3a (diff)

diff --git a/debian/.git-dpm b/debian/.git-dpm index 53fbcd41e..6f9925b66 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	e346421ca6852fbf9f95cf0e764ecc345e5ce21d	2	79d4110c92f82de854b10b2d96df9daaaaeaec3a
3	e346421ca6852fbf9f95cf0e764ecc345e5ce21d	3	79d4110c92f82de854b10b2d96df9daaaaeaec3a
4	971a7653746a6972b907dfe0ce139c06e4a6f482	4	971a7653746a6972b907dfe0ce139c06e4a6f482
5	971a7653746a6972b907dfe0ce139c06e4a6f482	5	971a7653746a6972b907dfe0ce139c06e4a6f482
6	openssh_7.4p1.orig.tar.gz	6	openssh_7.4p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index a7a936707..a65e90c78 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -5,6 +5,7 @@ openssh (1:7.4p1-6) UNRELEASED; urgency=medium
5	gone.	5	gone.
6	* Document sshd_config changes that may be needed following the removal of	6	* Document sshd_config changes that may be needed following the removal of
7	protocol 1 support from sshd (closes: #851573).	7	protocol 1 support from sshd (closes: #851573).
		8	* Remove ssh_host_dsa_key from HostKey default (closes: #850614).
8		9
9	-- Colin Watson <cjwatson@debian.org> Fri, 06 Jan 2017 08:40:14 +0000	10	-- Colin Watson <cjwatson@debian.org> Fri, 06 Jan 2017 08:40:14 +0000
10		11


diff --git a/debian/patches/no-dsa-host-key-by-default.patch b/debian/patches/no-dsa-host-key-by-default.patch new file mode 100644 index 000000000..cd5bd34a4 --- /dev/null +++ b/debian/patches/no-dsa-host-key-by-default.patch
@@ -0,0 +1,83 @@
		1	From 79d4110c92f82de854b10b2d96df9daaaaeaec3a Mon Sep 17 00:00:00 2001
		2	From: Colin Watson <cjwatson@debian.org>
		3	Date: Mon, 16 Jan 2017 13:53:04 +0000
		4	Subject: Remove ssh_host_dsa_key from HostKey default
		5
		6	The client no longer accepts DSA host keys, and servers using the
		7	default HostKey setting should have better host keys available.
		8
		9	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662
		10	Bug-Debian: https://bugs.debian.org/850614
		11	Last-Update: 2017-01-16
		12
		13	Patch-Name: no-dsa-host-key-by-default.patch
		14	---
		15	servconf.c \| 2 --
		16	sshd.8 \| 7 +++----
		17	sshd_config \| 1 -
		18	sshd_config.5 \| 7 +++----
		19	4 files changed, 6 insertions(+), 11 deletions(-)
		20
		21	diff --git a/servconf.c b/servconf.c
		22	index 1cee3d6c..202c4506 100644
		23	--- a/servconf.c
		24	+++ b/servconf.c
		25	@@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options)
		26	/* fill default hostkeys for protocols */
		27	options->host_key_files[options->num_host_key_files++] =
		28	_PATH_HOST_RSA_KEY_FILE;
		29	- options->host_key_files[options->num_host_key_files++] =
		30	- _PATH_HOST_DSA_KEY_FILE;
		31	#ifdef OPENSSL_HAS_ECC
		32	options->host_key_files[options->num_host_key_files++] =
		33	_PATH_HOST_ECDSA_KEY_FILE;
		34	diff --git a/sshd.8 b/sshd.8
		35	index 38a72540..e8f1fde8 100644
		36	--- a/sshd.8
		37	+++ b/sshd.8
		38	@@ -167,11 +167,10 @@ This option must be given if
		39	is not run as root (as the normal
		40	host key files are normally not readable by anyone but root).
		41	The default is
		42	-.Pa /etc/ssh/ssh_host_dsa_key ,
		43	-.Pa /etc/ssh/ssh_host_ecdsa_key ,
		44	-.Pa /etc/ssh/ssh_host_ed25519_key
		45	+.Pa /etc/ssh/ssh_host_rsa_key ,
		46	+.Pa /etc/ssh/ssh_host_ecdsa_key
		47	and
		48	-.Pa /etc/ssh/ssh_host_rsa_key .
		49	+.Pa /etc/ssh/ssh_host_ed25519_key .
		50	It is possible to have multiple host key files for
		51	the different host key algorithms.
		52	.It Fl i
		53	diff --git a/sshd_config b/sshd_config
		54	index 13cbe2c6..4aea6c72 100644
		55	--- a/sshd_config
		56	+++ b/sshd_config
		57	@@ -16,7 +16,6 @@
		58	#ListenAddress ::
		59
		60	#HostKey /etc/ssh/ssh_host_rsa_key
		61	-#HostKey /etc/ssh/ssh_host_dsa_key
		62	#HostKey /etc/ssh/ssh_host_ecdsa_key
		63	#HostKey /etc/ssh/ssh_host_ed25519_key
		64
		65	diff --git a/sshd_config.5 b/sshd_config.5
		66	index 703a9cdd..8f8fbb66 100644
		67	--- a/sshd_config.5
		68	+++ b/sshd_config.5
		69	@@ -733,11 +733,10 @@ is not to load any certificates.
		70	Specifies a file containing a private host key
		71	used by SSH.
		72	The defaults are
		73	-.Pa /etc/ssh/ssh_host_dsa_key ,
		74	-.Pa /etc/ssh/ssh_host_ecdsa_key ,
		75	-.Pa /etc/ssh/ssh_host_ed25519_key
		76	+.Pa /etc/ssh/ssh_host_rsa_key ,
		77	+.Pa /etc/ssh/ssh_host_ecdsa_key
		78	and
		79	-.Pa /etc/ssh/ssh_host_rsa_key .
		80	+.Pa /etc/ssh/ssh_host_ed25519_key .
		81	.Pp
		82	Note that
		83	.Xr sshd 8


diff --git a/debian/patches/series b/debian/patches/series index 7edc511b8..6eae81080 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -28,3 +28,4 @@ regress-integrity-robust.patch
28	regress-forwarding-race.patch	28	regress-forwarding-race.patch
29	regress-mktemp.patch	29	regress-mktemp.patch
30	sandbox-x32-workaround.patch	30	sandbox-x32-workaround.patch
		31	no-dsa-host-key-by-default.patch


diff --git a/servconf.c b/servconf.c index 1cee3d6c2..202c45066 100644 --- a/servconf.c +++ b/servconf.c
@@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options)
204	/* fill default hostkeys for protocols */	204	/* fill default hostkeys for protocols */
205	options->host_key_files[options->num_host_key_files++] =	205	options->host_key_files[options->num_host_key_files++] =
206	_PATH_HOST_RSA_KEY_FILE;	206	_PATH_HOST_RSA_KEY_FILE;
207	options->host_key_files[options->num_host_key_files++] =
208	_PATH_HOST_DSA_KEY_FILE;
209	#ifdef OPENSSL_HAS_ECC	207	#ifdef OPENSSL_HAS_ECC
210	options->host_key_files[options->num_host_key_files++] =	208	options->host_key_files[options->num_host_key_files++] =
211	_PATH_HOST_ECDSA_KEY_FILE;	209	_PATH_HOST_ECDSA_KEY_FILE;


diff --git a/sshd.8 b/sshd.8 index 38a72540d..e8f1fde8c 100644 --- a/sshd.8 +++ b/sshd.8
@@ -167,11 +167,10 @@ This option must be given if
167	is not run as root (as the normal	167	is not run as root (as the normal
168	host key files are normally not readable by anyone but root).	168	host key files are normally not readable by anyone but root).
169	The default is	169	The default is
170	.Pa /etc/ssh/ssh_host_dsa_key ,	170	.Pa /etc/ssh/ssh_host_rsa_key ,
171	.Pa /etc/ssh/ssh_host_ecdsa_key ,	171	.Pa /etc/ssh/ssh_host_ecdsa_key
172	.Pa /etc/ssh/ssh_host_ed25519_key
173	and	172	and
174	.Pa /etc/ssh/ssh_host_rsa_key .	173	.Pa /etc/ssh/ssh_host_ed25519_key .
175	It is possible to have multiple host key files for	174	It is possible to have multiple host key files for
176	the different host key algorithms.	175	the different host key algorithms.
177	.It Fl i	176	.It Fl i


diff --git a/sshd_config b/sshd_config index 13cbe2c66..4aea6c729 100644 --- a/sshd_config +++ b/sshd_config
@@ -16,7 +16,6 @@
16	#ListenAddress ::	16	#ListenAddress ::
17		17
18	#HostKey /etc/ssh/ssh_host_rsa_key	18	#HostKey /etc/ssh/ssh_host_rsa_key
19	#HostKey /etc/ssh/ssh_host_dsa_key
20	#HostKey /etc/ssh/ssh_host_ecdsa_key	19	#HostKey /etc/ssh/ssh_host_ecdsa_key
21	#HostKey /etc/ssh/ssh_host_ed25519_key	20	#HostKey /etc/ssh/ssh_host_ed25519_key
22		21


diff --git a/sshd_config.5 b/sshd_config.5 index 703a9cddc..8f8fbb66d 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -733,11 +733,10 @@ is not to load any certificates.
733	Specifies a file containing a private host key	733	Specifies a file containing a private host key
734	used by SSH.	734	used by SSH.
735	The defaults are	735	The defaults are
736	.Pa /etc/ssh/ssh_host_dsa_key ,	736	.Pa /etc/ssh/ssh_host_rsa_key ,
737	.Pa /etc/ssh/ssh_host_ecdsa_key ,	737	.Pa /etc/ssh/ssh_host_ecdsa_key
738	.Pa /etc/ssh/ssh_host_ed25519_key
739	and	738	and
740	.Pa /etc/ssh/ssh_host_rsa_key .	739	.Pa /etc/ssh/ssh_host_ed25519_key .
741	.Pp	740	.Pp
742	Note that	741	Note that
743	.Xr sshd 8	742	.Xr sshd 8