diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-09-17 21:16:49 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-09-17 21:16:49 +0200 |
| commit | 6af9055be9870effefe802c9fd7b3a9d6aec9413 (patch) | |
| tree | db3e7a702ed133edf19f7e60e5cfa0c2d956245a /src | |
| parent | 4669748ca1b39dc0cb54496d5ce695d05c8431f7 (diff) | |
| download | vyos-1x-6af9055be9870effefe802c9fd7b3a9d6aec9413.tar.gz vyos-1x-6af9055be9870effefe802c9fd7b3a9d6aec9413.zip | |
login: T7839: add deprecation warning for DSS public-key usage
OpenSSH in Debian Trixie has removed support for ssh-dss (DSA) keys, which will
prevent users with such keys from logging in after upgrade. To avoid lockouts,
add a loud deprecation warning when users log in using a DSA key. This warning
advises affected users to replace their keys with a supported algorithm (e.g.,
ed25519 or RSA) before the upgrade.
Deprecation warning will be displayed during "commit" but also as MOTD to inform
on this issue during every login.
DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will
be removed in VyOS 1.6. Please update affected keys to a supported
algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication
failures after the upgrade. The following users are using SSH-DSS keys
for authentication.
User "vyos" with deprecated public-key named: foo
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/system_login.py | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index c2562be7b..0b271a8cf 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -18,6 +18,7 @@ import re import os import json +from copy import deepcopy from passlib.hosts import linux_context from psutil import users from pwd import getpwall @@ -27,6 +28,7 @@ from sys import exit from time import sleep from vyos.base import Warning +from vyos.base import DeprecationWarning from vyos.config import Config from vyos.configdep import set_dependents from vyos.configdep import call_dependents @@ -54,12 +56,13 @@ radius_config_file = "/etc/pam_radius_auth.conf" tacacs_pam_config_file = "/etc/tacplus_servers" tacacs_nss_config_file = "/etc/tacplus_nss.conf" nss_config_file = "/etc/nsswitch.conf" +login_motd_dsa_warning = r'/run/motd.d/90-vyos-user-dsa-deprecation-warning' # Minimum UID used when adding system users MIN_USER_UID: int = 1000 # Maximim UID used when adding system users MAX_USER_UID: int = 59999 -# LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec +# LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec0 MAX_RADIUS_TIMEOUT: int = 50 # MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout) MAX_RADIUS_COUNT: int = 8 @@ -73,6 +76,13 @@ SYSTEM_USER_SKIP_LIST: list = ['radius_user', 'radius_priv_user', 'tacacs0', 'ta 'tacacs7', 'tacacs8', 'tacacs9', 'tacacs10',' tacacs11', 'tacacs12', 'tacacs13', 'tacacs14', 'tacacs15'] +# As of OpenSSH 9.8p1 in Debian trixie, DSA keys are no longer supported +SSH_DSA_DEPRECATION_WARNING: str = \ +'The following users are using SSH-DSS keys for authentication. Support for ' \ +'SSH-DSS keys is deprecated and will be removed in VyOS 1.6. Please update ' \ +'affected user keys to a supported algorithm (e.g., RSA, ECDSA, or ED25519) ' \ +'to avoid authentication failures after the upgrade.' + def get_local_users(min_uid=MIN_USER_UID, max_uid=MAX_USER_UID): """Return list of dynamically allocated users (see Debian Policy Manual)""" local_users = [] @@ -182,6 +192,17 @@ def verify(login): else: raise ConfigError(f'User {user} is configured as an operator but is not assigned to any operator groups') + # Deprecation Warning for SSH DSS keys. + gen_header = True + if 'user' in login: + for user, user_config in login['user'].items(): + for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items(): + if 'type' in pubkey_options and pubkey_options['type'] == 'ssh-dss': + if gen_header: + gen_header = False + DeprecationWarning(SSH_DSA_DEPRECATION_WARNING) + print(f'User "{user}" with deprecated public-key named: {pubkey}') + if {'radius', 'tacacs'} <= set(login): raise ConfigError('Using both RADIUS and TACACS at the same time is not supported!') @@ -336,6 +357,12 @@ def generate(login): policy = list(map(lambda s: re.split(r'\s+', s), policy)) operator_config['groups'][g]['command_policy']['allow'] = policy + # Generate MOTD informing the user(s) for possible deprecated SSH keys + tmp = deepcopy(login) + tmp['ssh_dsa_deprecation_warning'] = f'DEPRECATION WARNING: {SSH_DSA_DEPRECATION_WARNING}' + render(login_motd_dsa_warning, 'login/motd_user_dsa_warning.j2', tmp, + permission=0o644, user='root', group='root') + with open('/etc/vyos/operators.json', 'w') as of: json.dump(operator_config, of) |
