| Message ID | 20200929072130.2557-1-ahb.ipfire@gmail.com |
|---|---|
| State | Accepted |
| Commit | 13e20ecfc5855b39ddcd48f8cd1932aa5a9b1d54 |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4C0rRg4kjNz3wh7 for <patchwork@web04.haj.ipfire.org>; Tue, 29 Sep 2020 07:21:51 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4C0rRf14L3zy3; Tue, 29 Sep 2020 07:21:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4C0rRb5dQcz2xyg; Tue, 29 Sep 2020 07:21:47 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4C0rRY6TgHz2xb8 for <development@lists.ipfire.org>; Tue, 29 Sep 2020 07:21:45 +0000 (UTC) Received: from smtpq3.tb.mail.iss.as9143.net (smtpq3.tb.mail.iss.as9143.net [212.54.42.166]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4C0rRY16QQzkX for <development@lists.ipfire.org>; Tue, 29 Sep 2020 07:21:45 +0000 (UTC) Received: from [212.54.42.137] (helo=smtp6.tb.mail.iss.as9143.net) by smtpq3.tb.mail.iss.as9143.net with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ahb.ipfire@gmail.com>) id 1kN9xI-0008OA-BH; Tue, 29 Sep 2020 09:21:44 +0200 Received: from j103033.upc-j.chello.nl ([24.132.103.33] helo=rhea.saturn.pimb.org) by smtp6.tb.mail.iss.as9143.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <ahb.ipfire@gmail.com>) id 1kN9xI-007zg3-1Z; Tue, 29 Sep 2020 09:21:44 +0200 Received: from hyperion.saturn.pimb.org (hyperion.saturn.pimb.org [192.168.26.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by rhea.saturn.pimb.org (Postfix) with ESMTPSA id 9F5263EF3; Tue, 29 Sep 2020 09:21:43 +0200 (CEST) From: Adolf Belka <ahb.ipfire@gmail.com> To: development@lists.ipfire.org Subject: [PATCH] openssh: Update to 8.4p1 Date: Tue, 29 Sep 2020 09:21:30 +0200 Message-Id: <20200929072130.2557-1-ahb.ipfire@gmail.com> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SourceIP: 24.132.103.33 X-Authenticated-Sender: adolf.belka@ziggo.nl (via SMTP) X-Ziggo-spambar: / X-Ziggo-spamscore: 0.0 X-Ziggo-spamreport: CMAE Analysis: v=2.4 cv=UZjv9IeN c=1 sm=1 tr=0 ts=5f72e088 a=N0UC3/faf55XGTeY5t7zSQ==:17 a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=x7bEGLp0ZPQA:10 a=6yxbeI8x3IIA:10 a=reM5J-MqmosA:10 a=HU1OPnRnAAAA:8 a=pGLkceISAAAA:8 a=-q4y4HN9RXFjcTranzUA:9 a=Cil3w7wJrOMA:10 a=kH67KiNFCS4A:10 a=y4ddQsrDJA4A:10 a=d7copeL2nTEA:10 a=vQ5cN67eHy2kcvnFvKcb:22 X-Ziggo-Spam-Status: No X-Spam-Status: No X-Spam-Flag: No ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1601364105; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=8zhR5gLI46U7clvFRtTAj7tE5WfmkfwyObHgSeVhuwo=; b=B/BR2xa8QQNU/jeY+IXygvzTQBZEUS+nu3C7T/ctxfm9c0LXQk4XgV8eqZ9J2speH3Hvri MgnJdmj4D0iy28pC0cpYM83mDhrLUn27vePCNK21Q7Vi3sIbfa7jdeaODmc2JMFpr2Jq+3 gO+6AuaM4oSR86Ufvw1RsssosZMeV11xDin4TTKyll0SE+H0qwgsVn29TdCbAUm/ymjwBA UA6OA1EfCoSvsdBkmIYlQVOCXxy/hsitrF5X0rCYAZ0dT23cxhgNDPlktT8ZS4Wjb1QR5k axralen/UtNaF+3mfYVgMzMl5sxzFoxGoNEzRGBurgLD6jdfc/3QEFgC0aDbNw== ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1601364105; a=rsa-sha256; cv=none; b=Cy5SGEYXhsS2vVoxkdpuI+G3TeOT6ONQeTRSTvLBtPVbGb0U5qh+eNP/BzmIcKI8Hm+W99 pRhtgfsFI/GpEs4XGimvwgn0Cms6sWqjL6bHAA/AtM1JQQdDwdcJhhRJ2osWzjS9PWGcVP qWmfr2WA0A2hOgInOzq+0G5vU1KlEbi0SsTNPt9bJ9vqQHiFowMe4VT+T2GfJTIFN+lX+e 7GQP6+5tHCCEyQ5qOdH+VVXe0H62fKkgSE86paj938Un0WtLn9BnGNARR/qKv1aSpPlUuV Caffk+6m+ktTKBQdrpF37YcaCWB9S/YiZwR2ywgLzW8isQoU5cWB2x11ZCp2pw== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=none; spf=softfail (mail01.ipfire.org: 212.54.42.166 is neither permitted nor denied by domain of ahbipfire@gmail.com) smtp.mailfrom=ahbipfire@gmail.com Authentication-Results: mail01.ipfire.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=gmail.com (policy=none); spf=softfail (mail01.ipfire.org: 212.54.42.166 is neither permitted nor denied by domain of ahbipfire@gmail.com) smtp.mailfrom=ahbipfire@gmail.com X-Rspamd-Queue-Id: 4C0rRY16QQzkX X-Spamd-Result: default: False [-0.06 / 11.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_MISSING_CHARSET(2.50)[]; RWL_MAILSPIKE_GOOD(0.00)[212.54.42.166:from]; ARC_SIGNED(0.00)[i=1]; BROKEN_CONTENT_TYPE(1.50)[]; R_SPF_SOFTFAIL(0.00)[~all]; RCVD_COUNT_THREE(0.00)[4]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:33915, ipnet:212.54.32.0/20, country:NL]; R_DKIM_NA(0.00)[]; HAS_X_AS(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[212.54.42.166:from]; TAGGED_FROM(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; BAYES_HAM(-3.00)[99.99%]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RECEIVED_SPAMHAUS_PBL(0.00)[24.132.103.33:received]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM(-0.97)[-0.967]; IP_REPUTATION_SPAM(0.01)[asn: 33915(0.00), country: NL(0.01), ip: 212.54.42.166(0.00)]; FREEMAIL_CC(0.00)[gmail.com]; RCVD_TLS_ALL(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : No valid SPF, No valid DKIM,none] X-Rspamd-Server: mail01.haj.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
openssh: Update to 8.4p1
|
|
Commit Message
Adolf Belka
Sept. 29, 2020, 7:21 a.m. UTC
- Update openssh from version 8.3p1 to 8.4p1
See https://www.openssh.com/releasenotes.html
See https://www.openssh.com/portable.html#http for mirrors for source file
- No change to rootfiles
- Installed on virtual ipfire testbed and ssh connection successfully operated
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com>
---
lfs/openssh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
Good morning Adolf, Thank you for working on this. Did you have a look at the changes regarding retiring support for RSA-SHA1? Does that affect us in any way? Best, -Michael > On 29 Sep 2020, at 08:21, Adolf Belka <ahb.ipfire@gmail.com> wrote: > > - Update openssh from version 8.3p1 to 8.4p1 > See https://www.openssh.com/releasenotes.html > See https://www.openssh.com/portable.html#http for mirrors for source file > - No change to rootfiles > - Installed on virtual ipfire testbed and ssh connection successfully operated > Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> > --- > lfs/openssh | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lfs/openssh b/lfs/openssh > index 75210060e..5143f4154 100644 > --- a/lfs/openssh > +++ b/lfs/openssh > @@ -24,7 +24,7 @@ > > include Config > > -VER = 8.3p1 > +VER = 8.4p1 > > THISAPP = openssh-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = 68d7527bf2672153ca47402f6489a1af > +$(DL_FILE)_MD5 = 8f897870404c088e4aa7d1c1c58b526b > > install : $(TARGET) > > -- > 2.28.0 >
Hi Michael, I don't believe it will be a problem from what I have read up about on this topic. The move to disabling the ssh-rsa signature by default is still for a future (undefined) release. When it happens this will not change the rsa key itself. That stays the same. It is the hash used for the signature format that's used during each authentication handshake that will have to be different. There are three signature hashes used for rsa keys, ssh-rsa which is SHA1 based and rsa-sha2-256 and rsa-sha2-512 which are both SHA2 based. Since openssh-7.2 the sha2 signatures have been available and in default setups the options are tried in descending order in the key exchange communication, so rsa-sha2-512 first then rsa-sha2-256 and then ssh-rsa. The first one available in both server and client will be used. Apparently some people must be explicitly defining only ssh-rsa in their ssh_config file with HostKeyAlgorithms. If the HostKeyAlgorithms is not specified in ssh_config then the default includes the sha2 options. The only problem I can see when this default is implemented in the future is for people who have ssh clients where ssh-rsa has been explicitly specified without the sha2 variants in ssh_config. Then the negotiation between their client and the ipfire ssh server would fail. Updating their HostKeyAlgorithms line to include rsa-sha2-512 and rsa-sha2-256 would fix the problem and make their signature format much more secure. Having said all the above, I think it would be good for someone else to also check this out to make sure that my interpretation and understanding is correct. Regards, Adolf. On 29/09/2020 10:29, Michael Tremer wrote: > Good morning Adolf, > > Thank you for working on this. > > Did you have a look at the changes regarding retiring support for RSA-SHA1? Does that affect us in any way? > > Best, > -Michael > >> On 29 Sep 2020, at 08:21, Adolf Belka <ahb.ipfire@gmail.com> wrote: >> >> - Update openssh from version 8.3p1 to 8.4p1 >> See https://www.openssh.com/releasenotes.html >> See https://www.openssh.com/portable.html#http for mirrors for source file >> - No change to rootfiles >> - Installed on virtual ipfire testbed and ssh connection successfully operated >> Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> >> --- >> lfs/openssh | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/lfs/openssh b/lfs/openssh >> index 75210060e..5143f4154 100644 >> --- a/lfs/openssh >> +++ b/lfs/openssh >> @@ -24,7 +24,7 @@ >> >> include Config >> >> -VER = 8.3p1 >> +VER = 8.4p1 >> >> THISAPP = openssh-$(VER) >> DL_FILE = $(THISAPP).tar.gz >> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >> >> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >> >> -$(DL_FILE)_MD5 = 68d7527bf2672153ca47402f6489a1af >> +$(DL_FILE)_MD5 = 8f897870404c088e4aa7d1c1c58b526b >> >> install : $(TARGET) >> >> -- >> 2.28.0 >>
Hey Adolf, > On 29 Sep 2020, at 14:45, Adolf Belka <ahb.ipfire@gmail.com> wrote: > > Hi Michael, > > I don't believe it will be a problem from what I have read up about on this topic. Very good to hear. > The move to disabling the ssh-rsa signature by default is still for a future (undefined) release. I do not think that we can generally disable RSA for SSH. There are simply too many tools out there that do not support elliptic curve cryptography at all. > When it happens this will not change the rsa key itself. That stays the same. It is the hash used for the signature format that's used during each authentication handshake that will have to be different. There are three signature hashes used for rsa keys, ssh-rsa which is SHA1 based and rsa-sha2-256 and rsa-sha2-512 which are both SHA2 based. > > Since openssh-7.2 the sha2 signatures have been available and in default setups the options are tried in descending order in the key exchange communication, so rsa-sha2-512 first then rsa-sha2-256 and then ssh-rsa. The first one available in both server and client will be used. Apparently some people must be explicitly defining only ssh-rsa in their ssh_config file with HostKeyAlgorithms. > > If the HostKeyAlgorithms is not specified in ssh_config then the default includes the sha2 options. We do not explicitly change this anywhere on IPFire. > The only problem I can see when this default is implemented in the future is for people who have ssh clients where ssh-rsa has been explicitly specified without the sha2 variants in ssh_config. Then the negotiation between their client and the ipfire ssh server would fail. Updating their HostKeyAlgorithms line to include rsa-sha2-512 and rsa-sha2-256 would fix the problem and make their signature format much more secure. People who have that deliberately disabled probably have other issues. I am more worries about people who run clients that don’t support the newer ones. We will see. We cannot stop progress for a couple of people who do not update their systems for forever. > Having said all the above, I think it would be good for someone else to also check this out to make sure that my interpretation and understanding is correct. I double checked. This looks very good. Thank you for looking into this at this depth. Good job! -Michael > > Regards, > > Adolf. > > > On 29/09/2020 10:29, Michael Tremer wrote: >> Good morning Adolf, >> >> Thank you for working on this. >> >> Did you have a look at the changes regarding retiring support for RSA-SHA1? Does that affect us in any way? >> >> Best, >> -Michael >> >>> On 29 Sep 2020, at 08:21, Adolf Belka <ahb.ipfire@gmail.com> wrote: >>> >>> - Update openssh from version 8.3p1 to 8.4p1 >>> See https://www.openssh.com/releasenotes.html >>> See https://www.openssh.com/portable.html#http for mirrors for source file >>> - No change to rootfiles >>> - Installed on virtual ipfire testbed and ssh connection successfully operated >>> Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> >>> --- >>> lfs/openssh | 4 ++-- >>> 1 file changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/lfs/openssh b/lfs/openssh >>> index 75210060e..5143f4154 100644 >>> --- a/lfs/openssh >>> +++ b/lfs/openssh >>> @@ -24,7 +24,7 @@ >>> >>> include Config >>> >>> -VER = 8.3p1 >>> +VER = 8.4p1 >>> >>> THISAPP = openssh-$(VER) >>> DL_FILE = $(THISAPP).tar.gz >>> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >>> >>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>> >>> -$(DL_FILE)_MD5 = 68d7527bf2672153ca47402f6489a1af >>> +$(DL_FILE)_MD5 = 8f897870404c088e4aa7d1c1c58b526b >>> >>> install : $(TARGET) >>> >>> -- >>> 2.28.0 >>>
Hallo everyone, Just to be certain on this important topic, I did a trawl through the openssh email archive on the deprecation and found quite a bit of communication which has been able to clarify and confirm things. - The deprecation notice is related to the key signature algorithm, not the key type. - The string ssh-rsa is used as both a key type name in authorized_keys and as a key signature algorithm name. This is what has caused some confusion, the use of the same string for two very different items. - The RSA key with the string identifier ssh-rsa is not changing. So no concerns about losing RSA. Neither of the following apply to the IPFire ssh server so there is no problem for the deprecated signature algorithm for IPFire. - Openssh servers that are older than 7.4 would need to upgrade to be able to use the sha2 signature algorithms rsa-sha2-256 & rsa-sha2-512. - Openssh servers where ssh-rsa has been explicitly specified in sshd_config would need to add rsa-sha2-256 and/or rsa-sha2-512 to their list. Users of up-to-date default configured ssh clients will have no problems connecting to the IPFire ssh server and will not need to generate new keys, change their configuration or migrate to different key types. - Users with older openssh clients than 7.4 would need to upgrade to be able to use the sha2 signature algorithms rsa-sha2-256 & rsa-sha2-512. - Users that have explicitly specified ssh-rsa in their ssh_config would need to add rsa-sha2-256 and/or rsa-sha2-512 to their list. The majority of people using IPFire will not have any problems. Any that do will likely have an issue in their ssh_config files that can be easily fixed. Regards, Adolf. On 30/09/2020 15:27, Michael Tremer wrote: > Hey Adolf, > >> On 29 Sep 2020, at 14:45, Adolf Belka <ahb.ipfire@gmail.com> wrote: >> >> Hi Michael, >> >> I don't believe it will be a problem from what I have read up about on this topic. > Very good to hear. > >> The move to disabling the ssh-rsa signature by default is still for a future (undefined) release. > I do not think that we can generally disable RSA for SSH. There are simply too many tools out there that do not support elliptic curve cryptography at all. > >> When it happens this will not change the rsa key itself. That stays the same. It is the hash used for the signature format that's used during each authentication handshake that will have to be different. There are three signature hashes used for rsa keys, ssh-rsa which is SHA1 based and rsa-sha2-256 and rsa-sha2-512 which are both SHA2 based. >> >> Since openssh-7.2 the sha2 signatures have been available and in default setups the options are tried in descending order in the key exchange communication, so rsa-sha2-512 first then rsa-sha2-256 and then ssh-rsa. The first one available in both server and client will be used. Apparently some people must be explicitly defining only ssh-rsa in their ssh_config file with HostKeyAlgorithms. >> >> If the HostKeyAlgorithms is not specified in ssh_config then the default includes the sha2 options. > We do not explicitly change this anywhere on IPFire. > >> The only problem I can see when this default is implemented in the future is for people who have ssh clients where ssh-rsa has been explicitly specified without the sha2 variants in ssh_config. Then the negotiation between their client and the ipfire ssh server would fail. Updating their HostKeyAlgorithms line to include rsa-sha2-512 and rsa-sha2-256 would fix the problem and make their signature format much more secure. > People who have that deliberately disabled probably have other issues. I am more worries about people who run clients that don’t support the newer ones. We will see. We cannot stop progress for a couple of people who do not update their systems for forever. > >> Having said all the above, I think it would be good for someone else to also check this out to make sure that my interpretation and understanding is correct. > I double checked. This looks very good. Thank you for looking into this at this depth. Good job! > > -Michael > >> Regards, >> >> Adolf. >> >> >> On 29/09/2020 10:29, Michael Tremer wrote: >>> Good morning Adolf, >>> >>> Thank you for working on this. >>> >>> Did you have a look at the changes regarding retiring support for RSA-SHA1? Does that affect us in any way? >>> >>> Best, >>> -Michael >>> >>>> On 29 Sep 2020, at 08:21, Adolf Belka <ahb.ipfire@gmail.com> wrote: >>>> >>>> - Update openssh from version 8.3p1 to 8.4p1 >>>> See https://www.openssh.com/releasenotes.html >>>> See https://www.openssh.com/portable.html#http for mirrors for source file >>>> - No change to rootfiles >>>> - Installed on virtual ipfire testbed and ssh connection successfully operated >>>> Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> >>>> --- >>>> lfs/openssh | 4 ++-- >>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/lfs/openssh b/lfs/openssh >>>> index 75210060e..5143f4154 100644 >>>> --- a/lfs/openssh >>>> +++ b/lfs/openssh >>>> @@ -24,7 +24,7 @@ >>>> >>>> include Config >>>> >>>> -VER = 8.3p1 >>>> +VER = 8.4p1 >>>> >>>> THISAPP = openssh-$(VER) >>>> DL_FILE = $(THISAPP).tar.gz >>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >>>> >>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>>> >>>> -$(DL_FILE)_MD5 = 68d7527bf2672153ca47402f6489a1af >>>> +$(DL_FILE)_MD5 = 8f897870404c088e4aa7d1c1c58b526b >>>> >>>> install : $(TARGET) >>>> >>>> -- >>>> 2.28.0 >>>>
Great! Thank you for clarifying this. I will try to summarise this for the change log. -Michael > On 1 Oct 2020, at 13:17, Adolf Belka <ahb.ipfire@gmail.com> wrote: > > Hallo everyone, > > Just to be certain on this important topic, I did a trawl through the openssh email archive on the deprecation and found quite a bit of communication which has been able to clarify and confirm things. > > - The deprecation notice is related to the key signature algorithm, not the key type. > > - The string ssh-rsa is used as both a key type name in authorized_keys and as a key signature algorithm name. This is what has caused some confusion, the use of the same string for two very different items. > > - The RSA key with the string identifier ssh-rsa is not changing. So no concerns about losing RSA. > > > Neither of the following apply to the IPFire ssh server so there is no problem for the deprecated signature algorithm for IPFire. > > - Openssh servers that are older than 7.4 would need to upgrade to be able to use the sha2 signature algorithms rsa-sha2-256 & rsa-sha2-512. > > - Openssh servers where ssh-rsa has been explicitly specified in sshd_config would need to add rsa-sha2-256 and/or rsa-sha2-512 to their list. > > > Users of up-to-date default configured ssh clients will have no problems connecting to the IPFire ssh server and will not need to generate new keys, change their configuration or migrate to different key types. > > - Users with older openssh clients than 7.4 would need to upgrade to be able to use the sha2 signature algorithms rsa-sha2-256 & rsa-sha2-512. > > - Users that have explicitly specified ssh-rsa in their ssh_config would need to add rsa-sha2-256 and/or rsa-sha2-512 to their list. > > > The majority of people using IPFire will not have any problems. Any that do will likely have an issue in their ssh_config files that can be easily fixed. > > Regards, > > Adolf. > > > On 30/09/2020 15:27, Michael Tremer wrote: >> Hey Adolf, >> >>> On 29 Sep 2020, at 14:45, Adolf Belka <ahb.ipfire@gmail.com> wrote: >>> >>> Hi Michael, >>> >>> I don't believe it will be a problem from what I have read up about on this topic. >> Very good to hear. >> >>> The move to disabling the ssh-rsa signature by default is still for a future (undefined) release. >> I do not think that we can generally disable RSA for SSH. There are simply too many tools out there that do not support elliptic curve cryptography at all. >> >>> When it happens this will not change the rsa key itself. That stays the same. It is the hash used for the signature format that's used during each authentication handshake that will have to be different. There are three signature hashes used for rsa keys, ssh-rsa which is SHA1 based and rsa-sha2-256 and rsa-sha2-512 which are both SHA2 based. >>> >>> Since openssh-7.2 the sha2 signatures have been available and in default setups the options are tried in descending order in the key exchange communication, so rsa-sha2-512 first then rsa-sha2-256 and then ssh-rsa. The first one available in both server and client will be used. Apparently some people must be explicitly defining only ssh-rsa in their ssh_config file with HostKeyAlgorithms. >>> >>> If the HostKeyAlgorithms is not specified in ssh_config then the default includes the sha2 options. >> We do not explicitly change this anywhere on IPFire. >> >>> The only problem I can see when this default is implemented in the future is for people who have ssh clients where ssh-rsa has been explicitly specified without the sha2 variants in ssh_config. Then the negotiation between their client and the ipfire ssh server would fail. Updating their HostKeyAlgorithms line to include rsa-sha2-512 and rsa-sha2-256 would fix the problem and make their signature format much more secure. >> People who have that deliberately disabled probably have other issues. I am more worries about people who run clients that don’t support the newer ones. We will see. We cannot stop progress for a couple of people who do not update their systems for forever. >> >>> Having said all the above, I think it would be good for someone else to also check this out to make sure that my interpretation and understanding is correct. >> I double checked. This looks very good. Thank you for looking into this at this depth. Good job! >> >> -Michael >> >>> Regards, >>> >>> Adolf. >>> >>> >>> On 29/09/2020 10:29, Michael Tremer wrote: >>>> Good morning Adolf, >>>> >>>> Thank you for working on this. >>>> >>>> Did you have a look at the changes regarding retiring support for RSA-SHA1? Does that affect us in any way? >>>> >>>> Best, >>>> -Michael >>>> >>>>> On 29 Sep 2020, at 08:21, Adolf Belka <ahb.ipfire@gmail.com> wrote: >>>>> >>>>> - Update openssh from version 8.3p1 to 8.4p1 >>>>> See https://www.openssh.com/releasenotes.html >>>>> See https://www.openssh.com/portable.html#http for mirrors for source file >>>>> - No change to rootfiles >>>>> - Installed on virtual ipfire testbed and ssh connection successfully operated >>>>> Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> >>>>> --- >>>>> lfs/openssh | 4 ++-- >>>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>>> >>>>> diff --git a/lfs/openssh b/lfs/openssh >>>>> index 75210060e..5143f4154 100644 >>>>> --- a/lfs/openssh >>>>> +++ b/lfs/openssh >>>>> @@ -24,7 +24,7 @@ >>>>> >>>>> include Config >>>>> >>>>> -VER = 8.3p1 >>>>> +VER = 8.4p1 >>>>> >>>>> THISAPP = openssh-$(VER) >>>>> DL_FILE = $(THISAPP).tar.gz >>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >>>>> >>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>>>> >>>>> -$(DL_FILE)_MD5 = 68d7527bf2672153ca47402f6489a1af >>>>> +$(DL_FILE)_MD5 = 8f897870404c088e4aa7d1c1c58b526b >>>>> >>>>> install : $(TARGET) >>>>> >>>>> -- >>>>> 2.28.0 >>>>>
diff --git a/lfs/openssh b/lfs/openssh index 75210060e..5143f4154 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@ include Config -VER = 8.3p1 +VER = 8.4p1 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 68d7527bf2672153ca47402f6489a1af +$(DL_FILE)_MD5 = 8f897870404c088e4aa7d1c1c58b526b install : $(TARGET)