diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-09-17 21:49:34 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-09-17 21:49:34 +0200 |
| commit | 6deda171e8b5f5a65101436399bdbb308179e076 (patch) | |
| tree | 69237bfd0c9b340615c7dd1ed494b7b9a6c88d2e /src | |
| parent | a5b55e588acff8c07a96c02b523160be725f00ee (diff) | |
| download | vyos-1x-6deda171e8b5f5a65101436399bdbb308179e076.tar.gz vyos-1x-6deda171e8b5f5a65101436399bdbb308179e076.zip | |
ssh: T7839: add deprecation warning for DSA hostkey-algorithm usage
OpenSSH in Debian Trixie has removed support for ssh-dss (DSA) keys, which will
prevent users with such keys from logging in after upgrade. To avoid lockouts,
add a loud deprecation warning when users log in using a DSA key. This warning
advises affected users to replace their keys with a supported algorithm (e.g.,
ed25519 or RSA) before the upgrade.
Deprecation warning will be displayed during "commit" but also as MOTD to inform
on this issue during every login.
DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will
be removed in VyOS 1.6. Please update affected keys to a supported
algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication
failures after the upgrade. The following hostkey-algorithms are in
use: ssh-dss, ssh-dss-cert-v01@openssh.com
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/service_ssh.py | 23 | ||||
| -rwxr-xr-x | src/conf_mode/system_login.py | 10 |
2 files changed, 27 insertions, 6 deletions
diff --git a/src/conf_mode/service_ssh.py b/src/conf_mode/service_ssh.py index bf8afe8b7..ca0e66207 100755 --- a/src/conf_mode/service_ssh.py +++ b/src/conf_mode/service_ssh.py @@ -16,15 +16,18 @@ import os +from copy import deepcopy from sys import exit from syslog import syslog from syslog import LOG_INFO +from vyos.base import DeprecationWarning from vyos.config import Config from vyos.configdict import is_node_changed from vyos.configverify import verify_vrf from vyos.configverify import verify_pki_openssh_key from vyos.defaults import config_files +from vyos.defaults import SSH_DSA_DEPRECATION_WARNING from vyos.utils.process import call from vyos.template import render from vyos import ConfigError @@ -47,6 +50,13 @@ key_ed25519 = '/etc/ssh/ssh_host_ed25519_key' trusted_user_ca = config_files['sshd_user_ca'] +login_motd_dsa_warning = r'/run/motd.d/91-vyos-ssh-dsa-deprecation-warning' + +# As of OpenSSH 9.8p1 in Debian trixie, DSA keys are no longer supported +deprecated_algos = ['ssh-dss', 'ssh-dss-cert-v01@openssh.com'] +SSH_DSA_DEPRECATION_WARNING: str = f'{SSH_DSA_DEPRECATION_WARNING} '\ +'The following hostkey-algorithms are in use:' + def get_config(config=None): if config: conf = config @@ -100,6 +110,12 @@ def verify(ssh): if 'trusted_user_ca' in ssh: verify_pki_openssh_key(ssh, ssh['trusted_user_ca']) + if 'hostkey_algorithm' in ssh: + tmp = any(item in deprecated_algos for item in ssh['hostkey_algorithm']) + if deprecated_algos: + tmp = ', '.join(deprecated_algos) + DeprecationWarning(f'{SSH_DSA_DEPRECATION_WARNING} {tmp}') + verify_vrf(ssh) return None @@ -137,6 +153,13 @@ def generate(ssh): render(config_file, 'ssh/sshd_config.j2', ssh) + # Generate MOTD informing the user(s) for possible deprecated SSH hostkey-algorithm + tmp = deepcopy(ssh) + tmp['ssh_dsa_deprecation_warning'] = f'DEPRECATION WARNING: {SSH_DSA_DEPRECATION_WARNING}' + tmp['deprecated_algos'] = deprecated_algos + render(login_motd_dsa_warning, 'ssh/motd_ssh_dsa_warning.j2', tmp, + permission=0o644, user='root', group='root') + if 'dynamic_protection' in ssh: render(sshguard_config_file, 'ssh/sshguard_config.j2', ssh) render(sshguard_whitelist, 'ssh/sshguard_whitelist.j2', ssh) diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index 0b271a8cf..7ddcbff4a 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -33,6 +33,7 @@ from vyos.config import Config from vyos.configdep import set_dependents from vyos.configdep import call_dependents from vyos.configverify import verify_vrf +from vyos.defaults import SSH_DSA_DEPRECATION_WARNING from vyos.template import render from vyos.template import is_ipv4 from vyos.utils.auth import EPasswdStrength @@ -56,7 +57,7 @@ radius_config_file = "/etc/pam_radius_auth.conf" tacacs_pam_config_file = "/etc/tacplus_servers" tacacs_nss_config_file = "/etc/tacplus_nss.conf" nss_config_file = "/etc/nsswitch.conf" -login_motd_dsa_warning = r'/run/motd.d/90-vyos-user-dsa-deprecation-warning' +login_motd_dsa_warning = r'/run/motd.d/92-vyos-user-dsa-deprecation-warning' # Minimum UID used when adding system users MIN_USER_UID: int = 1000 @@ -77,11 +78,8 @@ SYSTEM_USER_SKIP_LIST: list = ['radius_user', 'radius_priv_user', 'tacacs0', 'ta 'tacacs12', 'tacacs13', 'tacacs14', 'tacacs15'] # As of OpenSSH 9.8p1 in Debian trixie, DSA keys are no longer supported -SSH_DSA_DEPRECATION_WARNING: str = \ -'The following users are using SSH-DSS keys for authentication. Support for ' \ -'SSH-DSS keys is deprecated and will be removed in VyOS 1.6. Please update ' \ -'affected user keys to a supported algorithm (e.g., RSA, ECDSA, or ED25519) ' \ -'to avoid authentication failures after the upgrade.' +SSH_DSA_DEPRECATION_WARNING: str = f'{SSH_DSA_DEPRECATION_WARNING} '\ +'The following users are using SSH-DSS keys for authentication.' def get_local_users(min_uid=MIN_USER_UID, max_uid=MAX_USER_UID): """Return list of dynamically allocated users (see Debian Policy Manual)""" |
