<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/src/conf_mode/service_ssh.py, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-03-24T17:02:56+00:00</updated>
<entry>
<title>T8410: Fix typos and mistakes for operational and configuration commands</title>
<updated>2026-03-24T17:02:56+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2026-03-20T16:41:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=bb2aee1e58c1cd30087b935798060e6bf3c698c8'/>
<id>urn:sha1:bb2aee1e58c1cd30087b935798060e6bf3c698c8</id>
<content type='text'>
Fix typos and mistakes in the commands and comments
No functional changes
</content>
</entry>
<entry>
<title>ssh: T8090: add support for config test mode (sshd -t)</title>
<updated>2025-12-14T17:09:40+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-12-14T17:09:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=1a753ab95e68c60660d9cd5c7340b5d22a35fafa'/>
<id>urn:sha1:1a753ab95e68c60660d9cd5c7340b5d22a35fafa</id>
<content type='text'>
Add a safety-net for development to check if the rendered sshd(8) configuration
can be applied at all. If it can't be applied - throw an error.

From https://linux.die.net/man/8/sshd:
  -t    Test mode. Only check the validity of the configuration file and sanity
        of the keys. This is useful for updating sshd reliably as configuration
        options may change.

Explicitly forcing a broken config now results in:

  vyos@vyos# commit
  [ service ssh ]
  Unexpected error with SSH configuration! /run/sshd/sshd_config line 21:
  X11DisplayOffset integer value invalid.
  [[service ssh]] failed
  Commit failed
</content>
</entry>
<entry>
<title>ssh: T7839: fix warning on deprecated algorithms during commit</title>
<updated>2025-09-20T08:51:40+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-09-20T08:51:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=7aa35eff59611cb90f2409831650ac39506163aa'/>
<id>urn:sha1:7aa35eff59611cb90f2409831650ac39506163aa</id>
<content type='text'>
The list calculation of in-use but deprecated SSH hostkey algorithms was wrong.
This was implemented in commit 6deda171e ("ssh: T7839: add deprecation warning
for DSA hostkey-algorithm usage"). It always returned the content of the list
of deprecated algorithms, but not the list of deprecated algorithms actually -
in use - by the configuration. This has been corrected.

Before:
  DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will
  be removed in VyOS 1.6. Please update affected keys to a supported
  algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication
  failures after the upgrade. The following hostkey-algorithms are in
  use: ssh-dss, ssh-dss-cert-v01@openssh.com

After:
  DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will
  be removed in VyOS 1.6. Please update affected keys to a supported
  algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication
  failures after the upgrade. The following hostkey-algorithms are in
  use: ssh-dss

The generation of the MOTD was not affected!
</content>
</entry>
<entry>
<title>ssh: T7839: add deprecation warning for DSA hostkey-algorithm usage</title>
<updated>2025-09-17T19:49:34+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-09-17T19:49:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=6deda171e8b5f5a65101436399bdbb308179e076'/>
<id>urn:sha1:6deda171e8b5f5a65101436399bdbb308179e076</id>
<content type='text'>
OpenSSH in Debian Trixie has removed support for ssh-dss (DSA) keys, which will
prevent users with such keys from logging in after upgrade. To avoid lockouts,
add a loud deprecation warning when users log in using a DSA key. This warning
advises affected users to replace their keys with a supported algorithm (e.g.,
ed25519 or RSA) before the upgrade.

Deprecation warning will be displayed during "commit" but also as MOTD to inform
on this issue during every login.

    DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will
    be removed in VyOS 1.6. Please update affected keys to a supported
    algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication
    failures after the upgrade. The following hostkey-algorithms are in
    use: ssh-dss, ssh-dss-cert-v01@openssh.com
</content>
</entry>
<entry>
<title>T7591: remove copyright years from source files</title>
<updated>2025-06-28T21:16:52+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-06-28T18:51:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=1478516ae437f19ebeb7d6ff9b83dd74f8e76758'/>
<id>urn:sha1:1478516ae437f19ebeb7d6ff9b83dd74f8e76758</id>
<content type='text'>
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.

Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors &lt;maintainers@vyos.io&gt;/g'

In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
</content>
</entry>
<entry>
<title>ssh: T6013: rename trusted-user-ca-key -&gt; truster-user-ca</title>
<updated>2025-05-29T12:01:32+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-05-20T17:57:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=4b4bbd73b84c2c478c7752f58e7f66ec6d90459e'/>
<id>urn:sha1:4b4bbd73b84c2c478c7752f58e7f66ec6d90459e</id>
<content type='text'>
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate &lt;foo&gt;" to define an X.509 certificate
from "set pki ca &lt;foo&gt; ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.

This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
</content>
</entry>
<entry>
<title>ssh: T6013: move principal name to "system login user &lt;name&gt; authentication"</title>
<updated>2025-05-29T11:57:48+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-05-20T17:49:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2'/>
<id>urn:sha1:81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2</id>
<content type='text'>
We already support using per-user SSH public keys for system authentication.
Instead of introducing a new CLI path to configure per-user principal names,
we should continue using the existing CLI location and store the principal
names alongside the corresponding SSH public keys.

set system login user &lt;name&gt; principal &lt;principal&gt;

The certificate used for SSH authentication contains an embedded principal
name, which is defined under this CLI node. Only users with matching principal
names are permitted to log in.
</content>
</entry>
<entry>
<title>ssh: T6013: support SSH AuthorizedPrincipalsFile in use with trusted-user-ca-key</title>
<updated>2025-05-29T11:57:48+00:00</updated>
<author>
<name>Takeru Hayasaka</name>
<email>hayatake396@gmail.com</email>
</author>
<published>2024-12-28T19:58:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=6c3b1ef2fede1e3c2b6e89060d3d645c2ba744cd'/>
<id>urn:sha1:6c3b1ef2fede1e3c2b6e89060d3d645c2ba744cd</id>
<content type='text'>
Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring
TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces
a new CLI node per user to support defining the authorized principals used by
any given PKI certificate. It is now possible to associate SSH login users with
their respective principals.

Authored-by: Takeru Hayasaka &lt;hayatake396@gmail.com&gt;
</content>
</entry>
<entry>
<title>T6013: Remove trusted_user_ca_key when the configuration does not exist</title>
<updated>2024-12-23T09:13:14+00:00</updated>
<author>
<name>Takeru Hayasaka</name>
<email>hayatake396@gmail.com</email>
</author>
<published>2024-12-21T03:33:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=8b560e7ef40b7c80c2556f111639eb4213d2c0aa'/>
<id>urn:sha1:8b560e7ef40b7c80c2556f111639eb4213d2c0aa</id>
<content type='text'>
Co-authored-by: Simon &lt;965089+sarthurdev@users.noreply.github.com&gt;
</content>
</entry>
<entry>
<title>T6013: Remove unused variables to make it lint-friendly</title>
<updated>2024-12-23T09:13:14+00:00</updated>
<author>
<name>Takeru Hayasaka</name>
<email>hayatake396@gmail.com</email>
</author>
<published>2024-12-14T21:05:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=967218a33cda789758822f9f1232dffce3ddddca'/>
<id>urn:sha1:967218a33cda789758822f9f1232dffce3ddddca</id>
<content type='text'>
</content>
</entry>
</feed>
