[openssh-commits] [openssh] 02/02: upstream: disable the DSA signature algorithm by default; ok
git+noreply at mindrot.org
git+noreply at mindrot.org
Mon Jun 17 18:48:36 AEST 2024
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 00eb95957dea5484b2c7c043f7d2bbc87301bef2
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Mon Jun 17 08:30:29 2024 +0000
upstream: disable the DSA signature algorithm by default; ok
markus@
(yes, I know this expands to "the Digitial Signature Algorithm
signature algorithm)
OpenBSD-Commit-ID: 961ef594e46dd2dcade8dd5721fa565cee79ffed
---
configure.ac | 31 +++++++++++++------------------
ssh-add.1 | 12 +++++-------
ssh-keygen.1 | 19 +++++++------------
ssh-keyscan.1 | 16 ++++------------
ssh-keysign.8 | 6 ++----
ssh.1 | 21 +++++++--------------
ssh_config.5 | 11 +++++------
sshd.8 | 9 +++------
8 files changed, 46 insertions(+), 79 deletions(-)
diff --git a/configure.ac b/configure.ac
index 717fef83..5a865f8e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2078,8 +2078,12 @@ AC_ARG_WITH([security-key-builtin],
enable_dsa=
AC_ARG_ENABLE([dsa-keys],
- [ --disable-dsa-keys disable DSA key support [no]],
- [ enable_dsa="$enableval" ]
+ [ --enable-dsa-keys enable DSA key support [no]],
+ [
+ if test "x$enableval" != "xno" ; then
+ enable_dsa=1
+ fi
+ ]
)
AC_SEARCH_LIBS([dlopen], [dl])
@@ -3188,8 +3192,9 @@ if test "x$openssl" = "xyes" ; then
AC_MSG_RESULT([no])
]
)
+
openssl_dsa=no
- if test -z "$enable_dsa" || test "x$enable_dsa" = "xyes"; then
+ if test ! -z "$enable_dsa" ; then
AC_CHECK_DECLS([OPENSSL_NO_DSA], [], [
AC_CHECK_DECLS([OPENSSL_IS_BORINGSSL], [],
[ openssl_dsa=yes ],
@@ -3199,22 +3204,12 @@ if test "x$openssl" = "xyes" ; then
[ #include <openssl/opensslconf.h> ]
)
AC_MSG_CHECKING([whether to enable DSA key support])
- if test -z "$enable_dsa"; then
- if test "x$openssl_dsa" = "xno"; then
- AC_MSG_RESULT([not supported by OpenSSL])
- else
- AC_MSG_RESULT([yes])
- AC_DEFINE([WITH_DSA], [1],
- [DSA keys enabled by default])
- fi
+ if test "x$openssl_dsa" = "xno"; then
+ AC_MSG_ERROR([DSA requested but not supported by OpenSSL])
else
- if test "x$openssl_dsa" = "xno"; then
- AC_MSG_ERROR([DSA requested but not supported by OpenSSL])
- else
- AC_MSG_RESULT([yes])
- AC_DEFINE([WITH_DSA], [1],
- [DSA keys explicitly enabled])
- fi
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([WITH_DSA], [1],
+ [DSA keys explicitly enabled])
fi
fi
fi
diff --git a/ssh-add.1 b/ssh-add.1
index 290ba91d..c31de4dd 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-add.1,v 1.86 2023/12/19 06:57:34 jmc Exp $
+.\" $OpenBSD: ssh-add.1,v 1.87 2024/06/17 08:30:29 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo at cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: December 19 2023 $
+.Dd $Mdocdate: June 17 2024 $
.Dt SSH-ADD 1
.Os
.Sh NAME
@@ -67,10 +67,9 @@ When run without arguments, it adds the files
.Pa ~/.ssh/id_rsa ,
.Pa ~/.ssh/id_ecdsa ,
.Pa ~/.ssh/id_ecdsa_sk ,
-.Pa ~/.ssh/id_ed25519 ,
-.Pa ~/.ssh/id_ed25519_sk ,
+.Pa ~/.ssh/id_ed25519
and
-.Pa ~/.ssh/id_dsa .
+.Pa ~/.ssh/id_ed25519_sk .
After loading a private key,
.Nm
will try to load corresponding certificate information from the
@@ -314,13 +313,12 @@ the built-in USB HID support.
.El
.Sh FILES
.Bl -tag -width Ds -compact
-.It Pa ~/.ssh/id_dsa
.It Pa ~/.ssh/id_ecdsa
.It Pa ~/.ssh/id_ecdsa_sk
.It Pa ~/.ssh/id_ed25519
.It Pa ~/.ssh/id_ed25519_sk
.It Pa ~/.ssh/id_rsa
-Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
+Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
authenticator-hosted Ed25519 or RSA authentication identity of the user.
.El
.Pp
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index c392141e..836c450e 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keygen.1,v 1.230 2023/09/04 10:29:58 job Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.231 2024/06/17 08:30:29 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo at cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: September 4 2023 $
+.Dd $Mdocdate: June 17 2024 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
@@ -51,7 +51,7 @@
.Op Fl m Ar format
.Op Fl N Ar new_passphrase
.Op Fl O Ar option
-.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
+.Op Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
.Op Fl w Ar provider
.Op Fl Z Ar cipher
.Nm ssh-keygen
@@ -205,7 +205,6 @@ section for details.
Normally each user wishing to use SSH
with public key authentication runs this once to create the authentication
key in
-.Pa ~/.ssh/id_dsa ,
.Pa ~/.ssh/id_ecdsa ,
.Pa ~/.ssh/id_ecdsa_sk ,
.Pa ~/.ssh/id_ed25519 ,
@@ -414,9 +413,8 @@ section.
Prints the contents of one or more certificates.
.It Fl l
Show fingerprint of specified public key file.
-For RSA and DSA keys
.Nm
-tries to find the matching public key file and prints its fingerprint.
+will try to find the matching public key file and prints its fingerprint.
If combined with
.Fl v ,
a visual ASCII art representation of the key is supplied with the
@@ -579,10 +577,9 @@ by key ID or serial number.
See the
.Sx KEY REVOCATION LISTS
section for details.
-.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
+.It Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
Specifies the type of key to create.
The possible values are
-.Dq dsa ,
.Dq ecdsa ,
.Dq ecdsa-sk ,
.Dq ed25519 ,
@@ -1290,13 +1287,12 @@ the built-in USB HID support.
.El
.Sh FILES
.Bl -tag -width Ds -compact
-.It Pa ~/.ssh/id_dsa
.It Pa ~/.ssh/id_ecdsa
.It Pa ~/.ssh/id_ecdsa_sk
.It Pa ~/.ssh/id_ed25519
.It Pa ~/.ssh/id_ed25519_sk
.It Pa ~/.ssh/id_rsa
-Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
+Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
authenticator-hosted Ed25519 or RSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
@@ -1308,13 +1304,12 @@ but it is offered as the default file for the private key.
.Xr ssh 1
will read this file when a login attempt is made.
.Pp
-.It Pa ~/.ssh/id_dsa.pub
.It Pa ~/.ssh/id_ecdsa.pub
.It Pa ~/.ssh/id_ecdsa_sk.pub
.It Pa ~/.ssh/id_ed25519.pub
.It Pa ~/.ssh/id_ed25519_sk.pub
.It Pa ~/.ssh/id_rsa.pub
-Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
+Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
authenticator-hosted Ed25519 or RSA public key for authentication.
The contents of this file should be added to
.Pa ~/.ssh/authorized_keys
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index df4fb6ca..79cef300 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keyscan.1,v 1.51 2024/06/14 05:20:34 jmc Exp $
+.\" $OpenBSD: ssh-keyscan.1,v 1.52 2024/06/17 08:30:29 djm Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm at lcs.mit.edu>.
.\"
@@ -6,7 +6,7 @@
.\" permitted provided that due credit is given to the author and the
.\" OpenBSD project by leaving this copyright notice intact.
.\"
-.Dd $Mdocdate: June 14 2024 $
+.Dd $Mdocdate: June 17 2024 $
.Dt SSH-KEYSCAN 1
.Os
.Sh NAME
@@ -130,7 +130,6 @@ The default is 5 seconds.
.It Fl t Ar type
Specify the type of the key to fetch from the scanned hosts.
The possible values are
-.Dq dsa ,
.Dq ecdsa ,
.Dq ed25519 ,
.Dq ecdsa-sk ,
@@ -138,14 +137,7 @@ The possible values are
or
.Dq rsa .
Multiple values may be specified by separating them with commas.
-The default is to fetch
-.Dq rsa ,
-.Dq ecdsa ,
-.Dq ed25519 ,
-.Dq ecdsa-sk ,
-and
-.Dq ed25519-sk
-keys.
+The default is to fetch all the above key types.
.It Fl v
Verbose mode:
print debugging messages about progress.
@@ -177,7 +169,7 @@ Find all hosts from the file
which have new or different keys from those in the sorted file
.Pa ssh_known_hosts :
.Bd -literal -offset indent
-$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
+$ ssh-keyscan -t rsa,ecdsa,ed25519 -f ssh_hosts | \e
sort -u - ssh_known_hosts | diff ssh_known_hosts -
.Ed
.Sh SEE ALSO
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index 6b4b9b27..3b4d35b0 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keysign.8,v 1.17 2022/03/31 17:27:27 naddy Exp $
+.\" $OpenBSD: ssh-keysign.8,v 1.18 2024/06/17 08:30:29 djm Exp $
.\"
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
.\"
@@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 17 2024 $
.Dt SSH-KEYSIGN 8
.Os
.Sh NAME
@@ -61,7 +61,6 @@ Controls whether
.Nm
is enabled.
.Pp
-.It Pa /etc/ssh/ssh_host_dsa_key
.It Pa /etc/ssh/ssh_host_ecdsa_key
.It Pa /etc/ssh/ssh_host_ed25519_key
.It Pa /etc/ssh/ssh_host_rsa_key
@@ -73,7 +72,6 @@ Since they are readable only by root,
.Nm
must be set-uid root if host-based authentication is used.
.Pp
-.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
diff --git a/ssh.1 b/ssh.1
index 61a154c2..6b5bb0e0 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.440 2024/05/26 20:35:12 naddy Exp $
-.Dd $Mdocdate: May 26 2024 $
+.\" $OpenBSD: ssh.1,v 1.441 2024/06/17 08:30:29 djm Exp $
+.Dd $Mdocdate: June 17 2024 $
.Dt SSH 1
.Os
.Sh NAME
@@ -304,10 +304,9 @@ The default is
.Pa ~/.ssh/id_rsa ,
.Pa ~/.ssh/id_ecdsa ,
.Pa ~/.ssh/id_ecdsa_sk ,
-.Pa ~/.ssh/id_ed25519 ,
-.Pa ~/.ssh/id_ed25519_sk
+.Pa ~/.ssh/id_ed25519
and
-.Pa ~/.ssh/id_dsa .
+.Pa ~/.ssh/id_ed25519_sk .
Identity files may also be specified on
a per-host basis in the configuration file.
It is possible to have multiple
@@ -929,10 +928,10 @@ key pair for authentication purposes.
The server knows the public key, and only the user knows the private key.
.Nm
implements public key authentication protocol automatically,
-using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
+using one of the ECDSA, Ed25519 or RSA algorithms.
The HISTORY section of
.Xr ssl 8
-contains a brief discussion of the DSA and RSA algorithms.
+contains a brief discussion of the RSA and ECDSA algorithms.
.Pp
The file
.Pa ~/.ssh/authorized_keys
@@ -959,8 +958,6 @@ flag).
The user creates their key pair by running
.Xr ssh-keygen 1 .
This stores the private key in
-.Pa ~/.ssh/id_dsa
-(DSA),
.Pa ~/.ssh/id_ecdsa
(ECDSA),
.Pa ~/.ssh/id_ecdsa_sk
@@ -973,8 +970,6 @@ or
.Pa ~/.ssh/id_rsa
(RSA)
and stores the public key in
-.Pa ~/.ssh/id_dsa.pub
-(DSA),
.Pa ~/.ssh/id_ecdsa.pub
(ECDSA),
.Pa ~/.ssh/id_ecdsa_sk.pub
@@ -1556,7 +1551,7 @@ secret, but the recommended permissions are read/write/execute for the user,
and not accessible by others.
.Pp
.It Pa ~/.ssh/authorized_keys
-Lists the public keys (DSA, ECDSA, Ed25519, RSA)
+Lists the public keys (ECDSA, Ed25519, RSA)
that can be used for logging in as this user.
The format of this file is described in the
.Xr sshd 8
@@ -1576,7 +1571,6 @@ Contains additional definitions for environment variables; see
.Sx ENVIRONMENT ,
above.
.Pp
-.It Pa ~/.ssh/id_dsa
.It Pa ~/.ssh/id_ecdsa
.It Pa ~/.ssh/id_ecdsa_sk
.It Pa ~/.ssh/id_ed25519
@@ -1592,7 +1586,6 @@ It is possible to specify a passphrase when
generating the key which will be used to encrypt the
sensitive part of this file using AES-128.
.Pp
-.It Pa ~/.ssh/id_dsa.pub
.It Pa ~/.ssh/id_ecdsa.pub
.It Pa ~/.ssh/id_ecdsa_sk.pub
.It Pa ~/.ssh/id_ed25519.pub
diff --git a/ssh_config.5 b/ssh_config.5
index 0f8dddcb..2e190228 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.395 2024/06/14 05:01:22 djm Exp $
-.Dd $Mdocdate: June 14 2024 $
+.\" $OpenBSD: ssh_config.5,v 1.396 2024/06/17 08:30:29 djm Exp $
+.Dd $Mdocdate: June 17 2024 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -1114,7 +1114,7 @@ section and environment variables as described in the
.Sx ENVIRONMENT VARIABLES
section.
.It Cm IdentityFile
-Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,
+Specifies a file from which the user's ECDSA, authenticator-hosted ECDSA,
Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read.
You can also specify a public key file to use the corresponding
private key that is loaded in
@@ -1124,10 +1124,9 @@ The default is
.Pa ~/.ssh/id_rsa ,
.Pa ~/.ssh/id_ecdsa ,
.Pa ~/.ssh/id_ecdsa_sk ,
-.Pa ~/.ssh/id_ed25519 ,
-.Pa ~/.ssh/id_ed25519_sk
+.Pa ~/.ssh/id_ed25519
and
-.Pa ~/.ssh/id_dsa .
+.Pa ~/.ssh/id_ed25519_sk .
Additionally, any identities represented by the authentication agent
will be used for authentication unless
.Cm IdentitiesOnly
diff --git a/sshd.8 b/sshd.8
index 73d5e923..c0f095ca 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.325 2023/09/19 20:37:07 deraadt Exp $
-.Dd $Mdocdate: September 19 2023 $
+.\" $OpenBSD: sshd.8,v 1.326 2024/06/17 08:30:29 djm Exp $
+.Dd $Mdocdate: June 17 2024 $
.Dt SSHD 8
.Os
.Sh NAME
@@ -465,8 +465,6 @@ sk-ssh-ed25519 at openssh.com
.It
ssh-ed25519
.It
-ssh-dss
-.It
ssh-rsa
.El
.Pp
@@ -477,7 +475,6 @@ Note that lines in this file can be several hundred bytes long
(because of the size of the public key encoding) up to a limit of
8 kilobytes, which permits RSA keys up to 16 kilobits.
You don't want to type them in; instead, copy the
-.Pa id_dsa.pub ,
.Pa id_ecdsa.pub ,
.Pa id_ecdsa_sk.pub ,
.Pa id_ed25519.pub ,
@@ -881,7 +878,7 @@ secret, but the recommended permissions are read/write/execute for the user,
and not accessible by others.
.Pp
.It Pa ~/.ssh/authorized_keys
-Lists the public keys (DSA, ECDSA, Ed25519, RSA)
+Lists the public keys (ECDSA, Ed25519, RSA)
that can be used for logging in as this user.
The format of this file is described above.
The content of the file is not highly sensitive, but the recommended
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list