summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2025-09-17 21:49:34 +0200
committerChristian Breunig <christian@breunig.cc>2025-09-17 21:49:34 +0200
commit6deda171e8b5f5a65101436399bdbb308179e076 (patch)
tree69237bfd0c9b340615c7dd1ed494b7b9a6c88d2e /src
parenta5b55e588acff8c07a96c02b523160be725f00ee (diff)
downloadvyos-1x-6deda171e8b5f5a65101436399bdbb308179e076.tar.gz
vyos-1x-6deda171e8b5f5a65101436399bdbb308179e076.zip
ssh: T7839: add deprecation warning for DSA hostkey-algorithm usage
OpenSSH in Debian Trixie has removed support for ssh-dss (DSA) keys, which will prevent users with such keys from logging in after upgrade. To avoid lockouts, add a loud deprecation warning when users log in using a DSA key. This warning advises affected users to replace their keys with a supported algorithm (e.g., ed25519 or RSA) before the upgrade. Deprecation warning will be displayed during "commit" but also as MOTD to inform on this issue during every login. DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will be removed in VyOS 1.6. Please update affected keys to a supported algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication failures after the upgrade. The following hostkey-algorithms are in use: ssh-dss, ssh-dss-cert-v01@openssh.com
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/service_ssh.py23
-rwxr-xr-xsrc/conf_mode/system_login.py10
2 files changed, 27 insertions, 6 deletions
diff --git a/src/conf_mode/service_ssh.py b/src/conf_mode/service_ssh.py
index bf8afe8b7..ca0e66207 100755
--- a/src/conf_mode/service_ssh.py
+++ b/src/conf_mode/service_ssh.py
@@ -16,15 +16,18 @@
import os
+from copy import deepcopy
from sys import exit
from syslog import syslog
from syslog import LOG_INFO
+from vyos.base import DeprecationWarning
from vyos.config import Config
from vyos.configdict import is_node_changed
from vyos.configverify import verify_vrf
from vyos.configverify import verify_pki_openssh_key
from vyos.defaults import config_files
+from vyos.defaults import SSH_DSA_DEPRECATION_WARNING
from vyos.utils.process import call
from vyos.template import render
from vyos import ConfigError
@@ -47,6 +50,13 @@ key_ed25519 = '/etc/ssh/ssh_host_ed25519_key'
trusted_user_ca = config_files['sshd_user_ca']
+login_motd_dsa_warning = r'/run/motd.d/91-vyos-ssh-dsa-deprecation-warning'
+
+# As of OpenSSH 9.8p1 in Debian trixie, DSA keys are no longer supported
+deprecated_algos = ['ssh-dss', 'ssh-dss-cert-v01@openssh.com']
+SSH_DSA_DEPRECATION_WARNING: str = f'{SSH_DSA_DEPRECATION_WARNING} '\
+'The following hostkey-algorithms are in use:'
+
def get_config(config=None):
if config:
conf = config
@@ -100,6 +110,12 @@ def verify(ssh):
if 'trusted_user_ca' in ssh:
verify_pki_openssh_key(ssh, ssh['trusted_user_ca'])
+ if 'hostkey_algorithm' in ssh:
+ tmp = any(item in deprecated_algos for item in ssh['hostkey_algorithm'])
+ if deprecated_algos:
+ tmp = ', '.join(deprecated_algos)
+ DeprecationWarning(f'{SSH_DSA_DEPRECATION_WARNING} {tmp}')
+
verify_vrf(ssh)
return None
@@ -137,6 +153,13 @@ def generate(ssh):
render(config_file, 'ssh/sshd_config.j2', ssh)
+ # Generate MOTD informing the user(s) for possible deprecated SSH hostkey-algorithm
+ tmp = deepcopy(ssh)
+ tmp['ssh_dsa_deprecation_warning'] = f'DEPRECATION WARNING: {SSH_DSA_DEPRECATION_WARNING}'
+ tmp['deprecated_algos'] = deprecated_algos
+ render(login_motd_dsa_warning, 'ssh/motd_ssh_dsa_warning.j2', tmp,
+ permission=0o644, user='root', group='root')
+
if 'dynamic_protection' in ssh:
render(sshguard_config_file, 'ssh/sshguard_config.j2', ssh)
render(sshguard_whitelist, 'ssh/sshguard_whitelist.j2', ssh)
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py
index 0b271a8cf..7ddcbff4a 100755
--- a/src/conf_mode/system_login.py
+++ b/src/conf_mode/system_login.py
@@ -33,6 +33,7 @@ from vyos.config import Config
from vyos.configdep import set_dependents
from vyos.configdep import call_dependents
from vyos.configverify import verify_vrf
+from vyos.defaults import SSH_DSA_DEPRECATION_WARNING
from vyos.template import render
from vyos.template import is_ipv4
from vyos.utils.auth import EPasswdStrength
@@ -56,7 +57,7 @@ radius_config_file = "/etc/pam_radius_auth.conf"
tacacs_pam_config_file = "/etc/tacplus_servers"
tacacs_nss_config_file = "/etc/tacplus_nss.conf"
nss_config_file = "/etc/nsswitch.conf"
-login_motd_dsa_warning = r'/run/motd.d/90-vyos-user-dsa-deprecation-warning'
+login_motd_dsa_warning = r'/run/motd.d/92-vyos-user-dsa-deprecation-warning'
# Minimum UID used when adding system users
MIN_USER_UID: int = 1000
@@ -77,11 +78,8 @@ SYSTEM_USER_SKIP_LIST: list = ['radius_user', 'radius_priv_user', 'tacacs0', 'ta
'tacacs12', 'tacacs13', 'tacacs14', 'tacacs15']
# As of OpenSSH 9.8p1 in Debian trixie, DSA keys are no longer supported
-SSH_DSA_DEPRECATION_WARNING: str = \
-'The following users are using SSH-DSS keys for authentication. Support for ' \
-'SSH-DSS keys is deprecated and will be removed in VyOS 1.6. Please update ' \
-'affected user keys to a supported algorithm (e.g., RSA, ECDSA, or ED25519) ' \
-'to avoid authentication failures after the upgrade.'
+SSH_DSA_DEPRECATION_WARNING: str = f'{SSH_DSA_DEPRECATION_WARNING} '\
+'The following users are using SSH-DSS keys for authentication.'
def get_local_users(min_uid=MIN_USER_UID, max_uid=MAX_USER_UID):
"""Return list of dynamically allocated users (see Debian Policy Manual)"""