summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2025-09-17 21:16:49 +0200
committerChristian Breunig <christian@breunig.cc>2025-09-17 21:16:49 +0200
commit6af9055be9870effefe802c9fd7b3a9d6aec9413 (patch)
treedb3e7a702ed133edf19f7e60e5cfa0c2d956245a /src
parent4669748ca1b39dc0cb54496d5ce695d05c8431f7 (diff)
downloadvyos-1x-6af9055be9870effefe802c9fd7b3a9d6aec9413.tar.gz
vyos-1x-6af9055be9870effefe802c9fd7b3a9d6aec9413.zip
login: T7839: add deprecation warning for DSS public-key usage
OpenSSH in Debian Trixie has removed support for ssh-dss (DSA) keys, which will prevent users with such keys from logging in after upgrade. To avoid lockouts, add a loud deprecation warning when users log in using a DSA key. This warning advises affected users to replace their keys with a supported algorithm (e.g., ed25519 or RSA) before the upgrade. Deprecation warning will be displayed during "commit" but also as MOTD to inform on this issue during every login. DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will be removed in VyOS 1.6. Please update affected keys to a supported algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication failures after the upgrade. The following users are using SSH-DSS keys for authentication. User "vyos" with deprecated public-key named: foo
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/system_login.py29
1 files changed, 28 insertions, 1 deletions
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py
index c2562be7b..0b271a8cf 100755
--- a/src/conf_mode/system_login.py
+++ b/src/conf_mode/system_login.py
@@ -18,6 +18,7 @@ import re
import os
import json
+from copy import deepcopy
from passlib.hosts import linux_context
from psutil import users
from pwd import getpwall
@@ -27,6 +28,7 @@ from sys import exit
from time import sleep
from vyos.base import Warning
+from vyos.base import DeprecationWarning
from vyos.config import Config
from vyos.configdep import set_dependents
from vyos.configdep import call_dependents
@@ -54,12 +56,13 @@ radius_config_file = "/etc/pam_radius_auth.conf"
tacacs_pam_config_file = "/etc/tacplus_servers"
tacacs_nss_config_file = "/etc/tacplus_nss.conf"
nss_config_file = "/etc/nsswitch.conf"
+login_motd_dsa_warning = r'/run/motd.d/90-vyos-user-dsa-deprecation-warning'
# Minimum UID used when adding system users
MIN_USER_UID: int = 1000
# Maximim UID used when adding system users
MAX_USER_UID: int = 59999
-# LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec
+# LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec0
MAX_RADIUS_TIMEOUT: int = 50
# MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout)
MAX_RADIUS_COUNT: int = 8
@@ -73,6 +76,13 @@ SYSTEM_USER_SKIP_LIST: list = ['radius_user', 'radius_priv_user', 'tacacs0', 'ta
'tacacs7', 'tacacs8', 'tacacs9', 'tacacs10',' tacacs11',
'tacacs12', 'tacacs13', 'tacacs14', 'tacacs15']
+# As of OpenSSH 9.8p1 in Debian trixie, DSA keys are no longer supported
+SSH_DSA_DEPRECATION_WARNING: str = \
+'The following users are using SSH-DSS keys for authentication. Support for ' \
+'SSH-DSS keys is deprecated and will be removed in VyOS 1.6. Please update ' \
+'affected user keys to a supported algorithm (e.g., RSA, ECDSA, or ED25519) ' \
+'to avoid authentication failures after the upgrade.'
+
def get_local_users(min_uid=MIN_USER_UID, max_uid=MAX_USER_UID):
"""Return list of dynamically allocated users (see Debian Policy Manual)"""
local_users = []
@@ -182,6 +192,17 @@ def verify(login):
else:
raise ConfigError(f'User {user} is configured as an operator but is not assigned to any operator groups')
+ # Deprecation Warning for SSH DSS keys.
+ gen_header = True
+ if 'user' in login:
+ for user, user_config in login['user'].items():
+ for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items():
+ if 'type' in pubkey_options and pubkey_options['type'] == 'ssh-dss':
+ if gen_header:
+ gen_header = False
+ DeprecationWarning(SSH_DSA_DEPRECATION_WARNING)
+ print(f'User "{user}" with deprecated public-key named: {pubkey}')
+
if {'radius', 'tacacs'} <= set(login):
raise ConfigError('Using both RADIUS and TACACS at the same time is not supported!')
@@ -336,6 +357,12 @@ def generate(login):
policy = list(map(lambda s: re.split(r'\s+', s), policy))
operator_config['groups'][g]['command_policy']['allow'] = policy
+ # Generate MOTD informing the user(s) for possible deprecated SSH keys
+ tmp = deepcopy(login)
+ tmp['ssh_dsa_deprecation_warning'] = f'DEPRECATION WARNING: {SSH_DSA_DEPRECATION_WARNING}'
+ render(login_motd_dsa_warning, 'login/motd_user_dsa_warning.j2', tmp,
+ permission=0o644, user='root', group='root')
+
with open('/etc/vyos/operators.json', 'w') as of:
json.dump(operator_config, of)