On Wed, 14 May 2008 02:24:40 +0100 Colin Watson wrote: > On Wed, May 14, 2008 at 12:10:08AM +0100, Sam Morris wrote: > > Package: openssh-server > > Version: 1:4.3p2-9 > > Severity: wishlist > > > > I'd like to be able to disable the use of DSA for both host and client > > authentication.
I agree with this wishlist bug. There should be a way to disable DSA-public-key-based authentication entirely (since DSA keys can be compromised by just being *used* on a system with a broken PRNG in SSL, as explained in the recent DSA-1571-1). > > For host keys, you can just remove that host key from sshd_config. I've just done so; I commented out the following line in /etc/ssh/sshd_config on my boxes: #HostKey /etc/ssh/ssh_host_dsa_key But, even after restarting ssh, users may still log in with their DSA keys (as long as those keys are listed in their ~/.ssh/authorized_keys, obviously). I checked this by myself. On a client box C, I have ~/.ssh/id_dsa.pub and ~/.ssh/id_dsa On a server box S, I have the above id_dsa.pub inside ~/.ssh/authorized_keys On S, /etc/ssh/sshd_config only has HostKey /etc/ssh/ssh_host_rsa_key and no reference to the DSA host key. Nonetheless, if I try to log in from C to S with my non-root user, I can successfully authenticate and enter. S uses its RSA host key, but my user on C uses my DSA key and logs in happily... > It's > true that there's (as far as I know) no way to do this for user keys yet > though. I think there should be a way to configure the OpenSSH server so that it refuses DSA-public-key-based authentication, just like there's a way to disable password-based authentication. Configuring the client is no solution, since non-root users are always allowed to override system-wide OpenSSH client configuration (and there are good reasons for allowing this) and since you cannot be sure about client box configuration whenever you do not administer it. -- http://frx.netsons.org/doc/index.html#nanodocs The nano-document series is here! ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
pgp6xVsjVWfKb.pgp
Description: PGP signature
