debbugs OpenSSH SHA1 deprecation

help-debbugs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

debbugs OpenSSH SHA1 deprecation

From:	Bob Proulx
Subject:	debbugs OpenSSH SHA1 deprecation
Date:	Thu, 24 Feb 2022 11:25:05 -0700

Hello Debbugs Hackers,

Today I noticed I was affected by OpenSSH 8.8 deprecation of SHA1
using my Debian Sid Unstable client connecting to debbugs.  This has
been a slowly arriving problem.

OpenSSH 8.8 released last September 26, 2021 and this affected
Savannah users connecting to systems then.  Initially the bleeding
edge distributions were most affected.  Usually Debian Sid Unstable
would also have rolled to this version too but that did not happen
until the 16th so this is last week.  Which is likely to affect this
group moving forward.

The symptom here is this.

    $ ssh debbugs.gnu.org
    Unable to negotiate with 209.51.188.43 port 22: no matching host key type 
found. Their offer: ssh-rsa,ssh-dss

This is due to ssh-rsa using SHA1 and SHA1 having been deprected in
the OpenSSH 8.8 release.

And unfortunately before today there was no alternative ed25519 host
key configured.  Therefore no alternative.  (Or one would get the host
key change MITM warning described below.)

There are several mitigations possible.  This is documented both on
the Savannah wiki and in the upstream release notes.  Though the
release notes only cover one mitigation and in our case we have at
least three available.

    https://savannah.gnu.org/maintenance/SshAccess/

I recommend mitigation Number 2 described there.  Upgrade to an ssh
ed25519 key.  ED25519 keys were introduced in OpenSSH 6.5 and offers
better security with faster performance using a more compact key.
Using the ED25519 user key also enables using the ED25519 host key at
the same time.  Which is perfect!  That's an excellent upgrade for
both security and performance.

In order to enable using ed25519 keys today I created an ssh ed25519
host key on debbugs.  Which means that instead of the above message
you might get this following message.  *Only if coming from a new
OpenSSH 8.8 or later*.  Earlier clients will not see any changes since
they will still be using the previous ssh-rsa key.

    $ ssh root@debbugs.gnu.org
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the ED25519 key sent by the remote host is
    SHA256:hUtvEybUXELq9EzbGybNOZticmt7S8CjIhTYBsRqjjk.
    Please contact your system administrator.
    Add correct host key in /home/bob/.ssh/known_hosts to get rid of this 
message.
    Offending RSA key in /home/bob/.ssh/known_hosts:21
      remove with:
      ssh-keygen -f "/home/bob/.ssh/known_hosts" -R "debbugs.gnu.org"
    Host key for debbugs.gnu.org has changed and you have requested strict 
checking.
    Host key verification failed.

Obviously the removal above with ssh-keygen -R works and cleans up the
file by removing the now obsolete SHA1 key that you can't ever use
again with the newer client.

Alternatively one might *add* the new key with the following.  And
then it will be validated using the newer key.

    echo 'debbugs.gnu.org ssh-ed25519 
AAAAC3NzaC1lZDI1NTE5AAAAIGinfk86FhP+RvfjKhVPmD8AOa36wIzFiPRaKCuBKfJV' >> 
.ssh/known_hosts

If you don't want to change keys yet then the Number 1 mitigation
described in the SshAccess is also available.  This is the mitigation
described in the upstream release notes.  This provides for continued
use of ssh-rsa SHA1 for this site.  (And you might need this for other
sites too.  But upgrading to ed25519 I think is better all around.)

    Host debbugs.gnu.org
        HostkeyAlgorithms +ssh-rsa
        PubkeyAcceptedAlgorithms +ssh-rsa

The third mitigation option available to us is to log into debbugs2p
*first* and then ssh from there to debbugs using the older ssh client
there that has not yet been upgraded and not yet deprecated SHA1.

    $ ssh debbugs2p.gnu.org
    rwp@debbugs2p:~$ sudo -i
    ... sudo stuff ... MOTD stuff ...
    root@debbugs2p:~# ssh debbugs
    root@debbugs:~#

Here are the upstream OpenSSH 8.8 release notes which describe the
SHA1 obsolescence.

    https://www.openssh.com/txt/release-8.8

I am hoping this helps to smooth over this transition.

Bob

P.S. I found this because I see that debbugs disk space is filling
up.  I will be looking at that problem later in the day.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

debbugs OpenSSH SHA1 deprecation, Bob Proulx <=

Prev by Date: Re: bug#47151: closed (Re: bug#47151: cp --recursive funky behaviour)
Next by Date: debbugs disk space and now NFS mount
Previous by thread: Re: bug#47151: closed (Re: bug#47151: cp --recursive funky behaviour)
Next by thread: debbugs disk space and now NFS mount
Index(es):
- Date
- Thread