From patchwork Mon Dec 9 11:37:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8312 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Y6KbT1G8fz3wfS for ; Mon, 9 Dec 2024 11:37:25 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Y6KbQ5X8HzrX; Mon, 9 Dec 2024 11:37:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Y6KbQ3Mpmz3498; Mon, 9 Dec 2024 11:37:22 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Y6KbM6Z3Fz30B8 for ; Mon, 9 Dec 2024 11:37:19 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Y6KbM318nzJD; Mon, 9 Dec 2024 11:37:19 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4Y6KbM1t07zTgnX; Mon, 9 Dec 2024 11:37:19 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/2] OpenSSH: No longer try to load the RSA key Date: Mon, 9 Dec 2024 11:37:10 +0000 Message-Id: <20241209113711.2684032-1-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 Message-ID-Hash: SKJO2N5NMJ7TN7EUX6PVEY2EQMCCBWL2 X-Message-ID-Hash: SKJO2N5NMJ7TN7EUX6PVEY2EQMCCBWL2 X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This key has been removed on new installations. Signed-off-by: Michael Tremer --- config/ssh/sshd_config | 1 - 1 file changed, 1 deletion(-) diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index e338f8cef..09d771b9a 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -27,7 +27,6 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@op # Only allow cryptographically safe SSH host keys (adjust paths if needed) HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_rsa_key # Only allow login via public key by default PubkeyAuthentication yes From patchwork Mon Dec 9 11:37:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8313 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Y6KbV6Fldz3wfS for ; Mon, 9 Dec 2024 11:37:26 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Y6KbR0h1Gz3gL; Mon, 9 Dec 2024 11:37:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Y6KbQ5Wjnz30B8; Mon, 9 Dec 2024 11:37:22 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Y6KbM702Fz30B8 for ; Mon, 9 Dec 2024 11:37:19 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Y6KbM4TGhzrX; Mon, 9 Dec 2024 11:37:19 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4Y6KbM1zrkzTgPp; Mon, 9 Dec 2024 11:37:19 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 2/2] core190: Load SSH RSA key on legacy systems Date: Mon, 9 Dec 2024 11:37:11 +0000 Message-Id: <20241209113711.2684032-2-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241209113711.2684032-1-michael.tremer@ipfire.org> References: <20241209113711.2684032-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: ACGUB5Z7S3TB3M4IWSUEOM6DHZBOMQMB X-Message-ID-Hash: ACGUB5Z7S3TB3M4IWSUEOM6DHZBOMQMB X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- config/rootfiles/core/190/update.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/config/rootfiles/core/190/update.sh b/config/rootfiles/core/190/update.sh index 16ef608e2..3950ba903 100644 --- a/config/rootfiles/core/190/update.sh +++ b/config/rootfiles/core/190/update.sh @@ -104,6 +104,14 @@ ldconfig # Filesytem cleanup /usr/local/bin/filesystem-cleanup +# Load the RSA key on systems that still have one +if [ -e "/etc/ssh/ssh_host_rsa_key" ]; then + ( + echo "# Load the legacy RSA key - Deprecated in Core Update 190" + echo "HostKey /etc/ssh/ssh_host_rsa_key" + ) > /etc/ssh/sshd_config.d/rsa.conf +fi + # Apply local configuration to sshd_config /usr/local/bin/sshctrl