New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error message about DSA key on RHEL 7 #158

Closed
artem-sidorenko opened this Issue Jan 5, 2017 · 5 comments

Comments

Projects
None yet
2 participants
@artem-sidorenko
Member

artem-sidorenko commented Jan 5, 2017

I see following messages in the logs of RHEL 7 systems with applied ssh-hardening:

Jan  4 09:00:07 node sshd[25777]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key

@atomic111 @chris-rock can we completely drop the support of DSA host key? (to remove the dsa key option from the host_key_files array)

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko
Member

artem-sidorenko commented Jan 12, 2017

@atomic111 ping

@atomic111

This comment has been minimized.

Show comment
Hide comment
@atomic111

atomic111 Jan 12, 2017

Member

@artem-sidorenko from the security point of view DSA is secure and more complex to crack it as RSA. So i would still keep this. the problem is, that the DSA Host key is not created. maybe we add a function to create the host keys

Member

atomic111 commented Jan 12, 2017

@artem-sidorenko from the security point of view DSA is secure and more complex to crack it as RSA. So i would still keep this. the problem is, that the DSA Host key is not created. maybe we add a function to create the host keys

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko
Member

artem-sidorenko commented Jan 12, 2017

@atomic111 what do you think about this analyses and explanations?

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Jan 12, 2017

Member

and here another peace: https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html

Bettercrypto also do not have DSA keys (see here, page 23).

And here is the important reference to the openssh upstream on this topic.

As I understand, one of the key points is DSA key length of 1024, and this is still the case, from the man page of ssh-keygen on ubuntu-16.04:

DSA keys must be exactly 1024 bits as specified by FIPS 186-2.

@atomic111 maybe we should consider the removal of DSA from defaults here?

Member

artem-sidorenko commented Jan 12, 2017

and here another peace: https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html

Bettercrypto also do not have DSA keys (see here, page 23).

And here is the important reference to the openssh upstream on this topic.

As I understand, one of the key points is DSA key length of 1024, and this is still the case, from the man page of ssh-keygen on ubuntu-16.04:

DSA keys must be exactly 1024 bits as specified by FIPS 186-2.

@atomic111 maybe we should consider the removal of DSA from defaults here?

@atomic111

This comment has been minimized.

Show comment
Hide comment
@atomic111

atomic111 Jan 13, 2017

Member

@artem-sidorenko ok the Problem is not the algorithem, it is the key length. because it is more complex to solve the discrete log problem then facturing. http://digitalassets.lib.berkeley.edu/techreports/ucb/text/CSD-84-186.pdf

Ok, we have no possibility to increase the key size, then we have to remove it. I agree

Member

atomic111 commented Jan 13, 2017

@artem-sidorenko ok the Problem is not the algorithem, it is the key length. because it is more complex to solve the discrete log problem then facturing. http://digitalassets.lib.berkeley.edu/techreports/ucb/text/CSD-84-186.pdf

Ok, we have no possibility to increase the key size, then we have to remove it. I agree

artem-sidorenko added a commit to artem-forks/chef-ssh-hardening that referenced this issue Jan 14, 2017

@artem-sidorenko artem-sidorenko self-assigned this Jan 14, 2017

artem-sidorenko added a commit to artem-forks/ssh-baseline that referenced this issue Jan 14, 2017

@artem-sidorenko artem-sidorenko added this to the v2.0.0 milestone Jan 14, 2017

@atomic111 atomic111 closed this in #161 Jan 18, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment