search

omniti-labs / omnios-build

Build system for OmniOS - Note, this is a quasi-private archive for OmniTI, you probably want https://omniosce.org
Other
39 stars 136 forks source link

remove joyent's openssh DSA key patch #82

Closed lotheac closed 8 years ago

lotheac commented 8 years ago

I really disagree with DSA keys being enabled by default, but more importantly than my opinion, the 0028 patch also has an unintended side effect: it also modifies the defaults for HostkeyAlgorithms and HostbasedKeytypes in the client, without documenting that. Observe the defaults when it is applied:

% ssh -F /dev/null -G localhost|grep ssh-dss
hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
hostbasedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss

And when it isn't:

% ssh -F /dev/null -G localhost|grep ssh-dss
%
lotheac commented 8 years ago

Another point I should make is that while it's easy to augment the default key types for several configuration options with eg. PubkeyAcceptedkeytypes=+ssh-dss, there is no similarly easy way to remove some defaults. This, IMO, makes it a much better choice to drop this patch and, if it's really desired, ship a default config file which uses +ssh-dss for the desired options.

danmcd commented 8 years ago

Have you confirmed that the package update behavior after this change isn't somehow screwy? It's my only (small) concern about taking this. Also note: I did not take a Joyent patch to change /etc/ssh/sshd_config because we already had one. Should we alter sshd_config.patch as part of this wad?

lotheac commented 8 years ago

On Fri, Mar 04 2016 07:26:27 -0800, Dan McDonald wrote:

Have you confirmed that the package update behavior after this change isn't somehow screwy? It's my only (small) concern about taking this.

I don't know why it would be. pkg update works just fine.

Also note: I did not take a Joyent patch to change /etc/ssh/sshd_config because we already had one. Should we alter sshd_config.patch as part of this wad?

I don't think so, because I don't believe enabling ssh-dss by default is a good idea. Note that before you pulled in the bulk of Joyent's patches you were already shipping an OpenSSH that had disabled dss algos.

Lauri Tirkkonen | lotheac @ IRCnet

danmcd commented 8 years ago

Will take. This also means I have to re-re-update 014 & 016 too.

lotheac commented 8 years ago

On Fri, Mar 04 2016 07:57:07 -0800, Dan McDonald wrote:

Will take. This also means I have to re-re-update 014 & 016 too.

Heh, sorry :) and thanks!

Lauri Tirkkonen | lotheac @ IRCnet