Remove ssh_host_dsa_key from HostKey default (closes: #850614).

author: Colin Watson <cjwatson@debian.org> 2017-01-16 13:58:16 +0000
committer: Colin Watson <cjwatson@debian.org> 2017-01-16 13:58:19 +0000
commit: d85ee41ea27ccceb97f1fb042f8efc94514e0948 (patch)
tree: 1407b12337b607c2191922f7729c18132b6438bd /debian
parent: fb87db8aa47d3508be8e5bb1d21897fa1f2eca90 (diff)
parent: 79d4110c92f82de854b10b2d96df9daaaaeaec3a (diff)
4 files changed, 87 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 53fbcd41e..6f9925b66 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-e346421ca6852fbf9f95cf0e764ecc345e5ce21d
+79d4110c92f82de854b10b2d96df9daaaaeaec3a
-e346421ca6852fbf9f95cf0e764ecc345e5ce21d
+79d4110c92f82de854b10b2d96df9daaaaeaec3a
 971a7653746a6972b907dfe0ce139c06e4a6f482
 971a7653746a6972b907dfe0ce139c06e4a6f482
 openssh_7.4p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index a7a936707..a65e90c78 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ openssh (1:7.4p1-6) UNRELEASED; urgency=medium
    gone.
  * Document sshd_config changes that may be needed following the removal of
    protocol 1 support from sshd (closes: #851573).
+  * Remove ssh_host_dsa_key from HostKey default (closes: #850614).
 -- Colin Watson <cjwatson@debian.org>  Fri, 06 Jan 2017 08:40:14 +0000
diff --git a/debian/patches/no-dsa-host-key-by-default.patch b/debian/patches/no-dsa-host-key-by-default.patch
new file mode 100644
index 000000000..cd5bd34a4
--- /dev/null
+++ b/debian/patches/no-dsa-host-key-by-default.patch
@@ -0,0 +1,83 @@
+From 79d4110c92f82de854b10b2d96df9daaaaeaec3a Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Mon, 16 Jan 2017 13:53:04 +0000
+Subject: Remove ssh_host_dsa_key from HostKey default
+The client no longer accepts DSA host keys, and servers using the
+default HostKey setting should have better host keys available.
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662
+Bug-Debian: https://bugs.debian.org/850614
+Last-Update: 2017-01-16
+Patch-Name: no-dsa-host-key-by-default.patch
+---
+ servconf.c    | 2 --
+ sshd.8        | 7 +++----
+ sshd_config   | 1 -
+ sshd_config.5 | 7 +++----
+ 4 files changed, 6 insertions(+), 11 deletions(-)
+diff --git a/servconf.c b/servconf.c
+index 1cee3d6c..202c4506 100644
+--- a/servconf.c
+++ b/servconf.c
+@@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options)
+                /* fill default hostkeys for protocols */
+                options->host_key_files[options->num_host_key_files++] =
+                    _PATH_HOST_RSA_KEY_FILE;
+-               options->host_key_files[options->num_host_key_files++] =
+-                   _PATH_HOST_DSA_KEY_FILE;
+ #ifdef OPENSSL_HAS_ECC
+                options->host_key_files[options->num_host_key_files++] =
+                    _PATH_HOST_ECDSA_KEY_FILE;
+diff --git a/sshd.8 b/sshd.8
+index 38a72540..e8f1fde8 100644
+--- a/sshd.8
+++ b/sshd.8
+@@ -167,11 +167,10 @@ This option must be given if
+ is not run as root (as the normal
+ host key files are normally not readable by anyone but root).
+ The default is
+-.Pa /etc/ssh/ssh_host_dsa_key ,
+-.Pa /etc/ssh/ssh_host_ecdsa_key ,
+-.Pa /etc/ssh/ssh_host_ed25519_key
+.Pa /etc/ssh/ssh_host_rsa_key ,
+.Pa /etc/ssh/ssh_host_ecdsa_key
+ and
+-.Pa /etc/ssh/ssh_host_rsa_key .
+.Pa /etc/ssh/ssh_host_ed25519_key .
+ It is possible to have multiple host key files for
+ the different host key algorithms.
+ .It Fl i
+diff --git a/sshd_config b/sshd_config
+index 13cbe2c6..4aea6c72 100644
+--- a/sshd_config
+++ b/sshd_config
+@@ -16,7 +16,6 @@
+ #ListenAddress ::
+ 
+ #HostKey /etc/ssh/ssh_host_rsa_key
+-#HostKey /etc/ssh/ssh_host_dsa_key
+ #HostKey /etc/ssh/ssh_host_ecdsa_key
+ #HostKey /etc/ssh/ssh_host_ed25519_key
+ 
+diff --git a/sshd_config.5 b/sshd_config.5
+index 703a9cdd..8f8fbb66 100644
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -733,11 +733,10 @@ is not to load any certificates.
+ Specifies a file containing a private host key
+ used by SSH.
+ The defaults are
+-.Pa /etc/ssh/ssh_host_dsa_key ,
+-.Pa /etc/ssh/ssh_host_ecdsa_key ,
+-.Pa /etc/ssh/ssh_host_ed25519_key
+.Pa /etc/ssh/ssh_host_rsa_key ,
+.Pa /etc/ssh/ssh_host_ecdsa_key
+ and
+-.Pa /etc/ssh/ssh_host_rsa_key .
+.Pa /etc/ssh/ssh_host_ed25519_key .
+ .Pp
+ Note that
+ .Xr sshd 8
diff --git a/debian/patches/series b/debian/patches/series
index 7edc511b8..6eae81080 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,4 @@ regress-integrity-robust.patch
 regress-forwarding-race.patch
 regress-mktemp.patch
 sandbox-x32-workaround.patch
+no-dsa-host-key-by-default.patch
author	Colin Watson <cjwatson@debian.org>	2017-01-16 13:58:16 +0000
committer	Colin Watson <cjwatson@debian.org>	2017-01-16 13:58:19 +0000
commit	d85ee41ea27ccceb97f1fb042f8efc94514e0948 (patch)
tree	1407b12337b607c2191922f7729c18132b6438bd /debian
parent	fb87db8aa47d3508be8e5bb1d21897fa1f2eca90 (diff)
parent	79d4110c92f82de854b10b2d96df9daaaaeaec3a (diff)

diff --git a/debian/.git-dpm b/debian/.git-dpm index 53fbcd41e..6f9925b66 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	e346421ca6852fbf9f95cf0e764ecc345e5ce21d	2	79d4110c92f82de854b10b2d96df9daaaaeaec3a
3	e346421ca6852fbf9f95cf0e764ecc345e5ce21d	3	79d4110c92f82de854b10b2d96df9daaaaeaec3a
4	971a7653746a6972b907dfe0ce139c06e4a6f482	4	971a7653746a6972b907dfe0ce139c06e4a6f482
5	971a7653746a6972b907dfe0ce139c06e4a6f482	5	971a7653746a6972b907dfe0ce139c06e4a6f482
6	openssh_7.4p1.orig.tar.gz	6	openssh_7.4p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index a7a936707..a65e90c78 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -5,6 +5,7 @@ openssh (1:7.4p1-6) UNRELEASED; urgency=medium
5	gone.	5	gone.
6	* Document sshd_config changes that may be needed following the removal of	6	* Document sshd_config changes that may be needed following the removal of
7	protocol 1 support from sshd (closes: #851573).	7	protocol 1 support from sshd (closes: #851573).
		8	* Remove ssh_host_dsa_key from HostKey default (closes: #850614).
8		9
9	-- Colin Watson <cjwatson@debian.org> Fri, 06 Jan 2017 08:40:14 +0000	10	-- Colin Watson <cjwatson@debian.org> Fri, 06 Jan 2017 08:40:14 +0000
10		11


diff --git a/debian/patches/no-dsa-host-key-by-default.patch b/debian/patches/no-dsa-host-key-by-default.patch new file mode 100644 index 000000000..cd5bd34a4 --- /dev/null +++ b/debian/patches/no-dsa-host-key-by-default.patch
@@ -0,0 +1,83 @@
		1	From 79d4110c92f82de854b10b2d96df9daaaaeaec3a Mon Sep 17 00:00:00 2001
		2	From: Colin Watson <cjwatson@debian.org>
		3	Date: Mon, 16 Jan 2017 13:53:04 +0000
		4	Subject: Remove ssh_host_dsa_key from HostKey default
		5
		6	The client no longer accepts DSA host keys, and servers using the
		7	default HostKey setting should have better host keys available.
		8
		9	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662
		10	Bug-Debian: https://bugs.debian.org/850614
		11	Last-Update: 2017-01-16
		12
		13	Patch-Name: no-dsa-host-key-by-default.patch
		14	---
		15	servconf.c \| 2 --
		16	sshd.8 \| 7 +++----
		17	sshd_config \| 1 -
		18	sshd_config.5 \| 7 +++----
		19	4 files changed, 6 insertions(+), 11 deletions(-)
		20
		21	diff --git a/servconf.c b/servconf.c
		22	index 1cee3d6c..202c4506 100644
		23	--- a/servconf.c
		24	+++ b/servconf.c
		25	@@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options)
		26	/* fill default hostkeys for protocols */
		27	options->host_key_files[options->num_host_key_files++] =
		28	_PATH_HOST_RSA_KEY_FILE;
		29	- options->host_key_files[options->num_host_key_files++] =
		30	- _PATH_HOST_DSA_KEY_FILE;
		31	#ifdef OPENSSL_HAS_ECC
		32	options->host_key_files[options->num_host_key_files++] =
		33	_PATH_HOST_ECDSA_KEY_FILE;
		34	diff --git a/sshd.8 b/sshd.8
		35	index 38a72540..e8f1fde8 100644
		36	--- a/sshd.8
		37	+++ b/sshd.8
		38	@@ -167,11 +167,10 @@ This option must be given if
		39	is not run as root (as the normal
		40	host key files are normally not readable by anyone but root).
		41	The default is
		42	-.Pa /etc/ssh/ssh_host_dsa_key ,
		43	-.Pa /etc/ssh/ssh_host_ecdsa_key ,
		44	-.Pa /etc/ssh/ssh_host_ed25519_key
		45	+.Pa /etc/ssh/ssh_host_rsa_key ,
		46	+.Pa /etc/ssh/ssh_host_ecdsa_key
		47	and
		48	-.Pa /etc/ssh/ssh_host_rsa_key .
		49	+.Pa /etc/ssh/ssh_host_ed25519_key .
		50	It is possible to have multiple host key files for
		51	the different host key algorithms.
		52	.It Fl i
		53	diff --git a/sshd_config b/sshd_config
		54	index 13cbe2c6..4aea6c72 100644
		55	--- a/sshd_config
		56	+++ b/sshd_config
		57	@@ -16,7 +16,6 @@
		58	#ListenAddress ::
		59
		60	#HostKey /etc/ssh/ssh_host_rsa_key
		61	-#HostKey /etc/ssh/ssh_host_dsa_key
		62	#HostKey /etc/ssh/ssh_host_ecdsa_key
		63	#HostKey /etc/ssh/ssh_host_ed25519_key
		64
		65	diff --git a/sshd_config.5 b/sshd_config.5
		66	index 703a9cdd..8f8fbb66 100644
		67	--- a/sshd_config.5
		68	+++ b/sshd_config.5
		69	@@ -733,11 +733,10 @@ is not to load any certificates.
		70	Specifies a file containing a private host key
		71	used by SSH.
		72	The defaults are
		73	-.Pa /etc/ssh/ssh_host_dsa_key ,
		74	-.Pa /etc/ssh/ssh_host_ecdsa_key ,
		75	-.Pa /etc/ssh/ssh_host_ed25519_key
		76	+.Pa /etc/ssh/ssh_host_rsa_key ,
		77	+.Pa /etc/ssh/ssh_host_ecdsa_key
		78	and
		79	-.Pa /etc/ssh/ssh_host_rsa_key .
		80	+.Pa /etc/ssh/ssh_host_ed25519_key .
		81	.Pp
		82	Note that
		83	.Xr sshd 8


diff --git a/debian/patches/series b/debian/patches/series index 7edc511b8..6eae81080 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -28,3 +28,4 @@ regress-integrity-robust.patch
28	regress-forwarding-race.patch	28	regress-forwarding-race.patch
29	regress-mktemp.patch	29	regress-mktemp.patch
30	sandbox-x32-workaround.patch	30	sandbox-x32-workaround.patch
		31	no-dsa-host-key-by-default.patch