Re: [PATCH] openssh: Update to 8.4p1

[Adolf Belka <ahb.ipfire@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2971 bytes --]

Hi Michael,

I don't believe it will be a problem from what I have read up about on this topic.

The move to disabling the ssh-rsa signature by default is still for a future (undefined) release.

When it happens this will not change the rsa key itself. That stays the same. It is the hash used for the signature format that's used during each authentication handshake that will have to be different. There are three signature hashes used for rsa keys, ssh-rsa which is SHA1 based and rsa-sha2-256 and rsa-sha2-512 which are both SHA2 based.

Since openssh-7.2 the sha2 signatures have been available and in default setups the options are tried in descending order in the key exchange communication, so rsa-sha2-512 first then rsa-sha2-256 and then ssh-rsa. The first one available in both server and client will be used. Apparently some people must be explicitly defining only ssh-rsa in their ssh_config file with HostKeyAlgorithms.

If the HostKeyAlgorithms is not specified in ssh_config then the default includes the sha2 options.

The only problem I can see when this default is implemented in the future is for people who have ssh clients where ssh-rsa has been explicitly specified without the sha2 variants in ssh_config. Then the negotiation between their client and the ipfire ssh server would fail. Updating their HostKeyAlgorithms line to include rsa-sha2-512 and rsa-sha2-256 would fix the problem and make their signature format much more secure.


Having said all the above, I think it would be good for someone else to also check this out to make sure that my interpretation and understanding is correct.

Regards,

Adolf.


On 29/09/2020 10:29, Michael Tremer wrote:
> Good morning Adolf,
>
> Thank you for working on this.
>
> Did you have a look at the changes regarding retiring support for RSA-SHA1? Does that affect us in any way?
>
> Best,
> -Michael
>
>> On 29 Sep 2020, at 08:21, Adolf Belka <ahb.ipfire(a)gmail.com> wrote:
>>
>> - Update openssh from version 8.3p1 to 8.4p1
>> 	See https://www.openssh.com/releasenotes.html
>> 	See https://www.openssh.com/portable.html#http for mirrors for source file
>> - No change to rootfiles
>> - Installed on virtual ipfire testbed and ssh connection successfully operated
>> Signed-off-by: Adolf Belka <ahb.ipfire(a)gmail.com>
>> ---
>> lfs/openssh | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/lfs/openssh b/lfs/openssh
>> index 75210060e..5143f4154 100644
>> --- a/lfs/openssh
>> +++ b/lfs/openssh
>> @@ -24,7 +24,7 @@
>>
>> include Config
>>
>> -VER        = 8.3p1
>> +VER        = 8.4p1
>>
>> THISAPP    = openssh-$(VER)
>> DL_FILE    = $(THISAPP).tar.gz
>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>
>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>
>> -$(DL_FILE)_MD5 = 68d7527bf2672153ca47402f6489a1af
>> +$(DL_FILE)_MD5 = 8f897870404c088e4aa7d1c1c58b526b
>>
>> install : $(TARGET)
>>
>> -- 
>> 2.28.0
>>