Re: [Nix-dev] SECURITY: default SSH host keys are weak
Hi Aristid, > Just how weak are they, and why? 1024 bit DSA keys are considered "weak" in the sense that someone might be able to crack those if he or she is super motivated to do so and has a couple of million dollars to spend. In other words, if you intend to blow the whistle on some secret NSA spy program any time soon, then you probably shouldn't use those keys to protect your communication. 1024 bit DSA is perfectly secure, however, to protect against attackers other than crazy billionaires, organized crime, and government agencies. Mounting a meaningful attack against a 1024 bit DSA key is just too expensive to be feasible on a large scale. Nonetheless, there is no reason to stick to 1024 bit DSA keys -- more secure public key encryption schemes are readily available --, and if you have the chance to upgrade your installation, then it's probably a good idea to do it. Take care, Peter ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Looks good. Thanks! > >> The ssh client prefers ECDSA host keys over DSA keys so I don't think > >> this > >> is a big deal. But we could have an option to enable/disable generation > >> of > >> DSA keys. > > > > I'd keep the path to the host keys configurable, maybe bump key sizes a > > little. > Okay, I've now pushed a commit that does this > (9771f0c96c87cf03519033df408ca309696a9469). It enables both ECDSA and DSA, > but you can turn off the DSA key by saying: > > services.openssh.hostKeys = > [ { path = "/etc/ssh/ssh_host_ecdsa_key"; > type = "ecdsa"; > bits = 521; > } > ]; > > If desired, we could also enable an RSA key by default. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Hi, On 23/08/13 20:43, phree...@yandex.ru wrote: >> On 23/08/13 20:25, Mathijs Kwik wrote: >>> I currently only have an ecdsa host key and would like to keep it that >>> way. >>> This patch would give me a dsa key too which I don't want. >> >> The ssh client prefers ECDSA host keys over DSA keys so I don't think this >> is a big deal. But we could have an option to enable/disable generation of >> DSA keys. > > I'd keep the path to the host keys configurable, maybe bump key sizes a > little. Okay, I've now pushed a commit that does this (9771f0c96c87cf03519033df408ca309696a9469). It enables both ECDSA and DSA, but you can turn off the DSA key by saying: services.openssh.hostKeys = [ { path = "/etc/ssh/ssh_host_ecdsa_key"; type = "ecdsa"; bits = 521; } ]; If desired, we could also enable an RSA key by default. -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
> >>> I has been brought to our attention that the host keys created by the > >>> default SSH daemon configuration are too weak. > >> > >> Citation needed please. According to who are DSA keys bad? OpenSSH's > >> own > >> "make host-key" installs a DSA key (in addition to RSA and ECDSA keys). > > > > Section 2.1: 1024bit keys should be phased out by 2010 > > http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-manag > > ement_Dec2009.pdf > > > > More recent revision 5.6.2: lists 1024bit DSA/RSA as weak: > > http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_gene > > ral.pdf > That they deprecate generation of new 1024-bit DSA keys doesn't seem enough > reason for us to print dire security warnings on the console. That's really > something you should discuss with upstream. They're the crypto experts. But upstream has been generating and prioritizing keys other than 1024bit DSA for some time already and it is NixOS implementation that forces DSA-only mode. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
В письме от Пятница 23 августа 2013 20:36:26 пользователь Eelco Dolstra написал: > Hi, > > On 23/08/13 20:25, Mathijs Kwik wrote: > > I currently only have an ecdsa host key and would like to keep it that > > way. > > This patch would give me a dsa key too which I don't want. > > The ssh client prefers ECDSA host keys over DSA keys so I don't think this > is a big deal. But we could have an option to enable/disable generation of > DSA keys. I'd keep the path to the host keys configurable, maybe bump key sizes a little. Otherwise, it should be fine. Unfortunately, the known hosts files can't be fixed and weaker keys will be used until users take action :( ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
There probably is some MITM trick to force DSA. That will then indeed lead to a "host changed" warning in case the client has never used the dsa key before, so it probably won't hurt indeed. But an option to disable it would be better. Kind of like the hostKeyType we have now :) On Fri, Aug 23, 2013 at 8:36 PM, Eelco Dolstra wrote: > Hi, > > On 23/08/13 20:25, Mathijs Kwik wrote: > >> I currently only have an ecdsa host key and would like to keep it that way. >> This patch would give me a dsa key too which I don't want. > > The ssh client prefers ECDSA host keys over DSA keys so I don't think this is > a > big deal. But we could have an option to enable/disable generation of DSA > keys. > > -- > Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Hi, On 23/08/13 20:29, phree...@yandex.ru wrote: >>> I has been brought to our attention that the host keys created by the >>> default SSH daemon configuration are too weak. >> >> Citation needed please. According to who are DSA keys bad? OpenSSH's own >> "make host-key" installs a DSA key (in addition to RSA and ECDSA keys). > > Section 2.1: 1024bit keys should be phased out by 2010 > http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009.pdf > > More recent revision 5.6.2: lists 1024bit DSA/RSA as weak: > http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf That they deprecate generation of new 1024-bit DSA keys doesn't seem enough reason for us to print dire security warnings on the console. That's really something you should discuss with upstream. They're the crypto experts. -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Hi, On 23/08/13 20:25, Mathijs Kwik wrote: > I currently only have an ecdsa host key and would like to keep it that way. > This patch would give me a dsa key too which I don't want. The ssh client prefers ECDSA host keys over DSA keys so I don't think this is a big deal. But we could have an option to enable/disable generation of DSA keys. -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
> > I has been brought to our attention that the host keys created by the > > default SSH daemon configuration are too weak. > > Citation needed please. According to who are DSA keys bad? OpenSSH's own > "make host-key" installs a DSA key (in addition to RSA and ECDSA keys). Section 2.1: 1024bit keys should be phased out by 2010 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009.pdf More recent revision 5.6.2: lists 1024bit DSA/RSA as weak: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
I currently only have an ecdsa host key and would like to keep it that way. This patch would give me a dsa key too which I don't want. On Fri, Aug 23, 2013 at 7:28 PM, Eelco Dolstra wrote: > Hi, > > On 23/08/13 18:05, Peter Simons wrote: > >> I am in favor of changing the default key type to something stronger >> than 1024 bit DSA for newly generated keys. >> >> I do not want any of my existing keys re-generated or replaced, though. >> >> Can the change in NixOS be made in such a way that accomplishs this? > > We can just generate an ECDSA key in addition to the DSA key, which is in fact > what upstream's "make host-key" does. I suggest we apply the attached patch > that does that. It's completely backwards compatible in that it will generate > an ECDSA host key on systems that don't have one, while clients that have the > DSA key in their known_hosts will continue to use that. (It also drops the > configurability of the host key type since that doesn't support having > multiple > host keys.) > > -- > Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Hi, On 23/08/13 18:05, Peter Simons wrote: > I am in favor of changing the default key type to something stronger > than 1024 bit DSA for newly generated keys. > > I do not want any of my existing keys re-generated or replaced, though. > > Can the change in NixOS be made in such a way that accomplishs this? We can just generate an ECDSA key in addition to the DSA key, which is in fact what upstream's "make host-key" does. I suggest we apply the attached patch that does that. It's completely backwards compatible in that it will generate an ECDSA host key on systems that don't have one, while clients that have the DSA key in their known_hosts will continue to use that. (It also drops the configurability of the host key type since that doesn't support having multiple host keys.) -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix index 0c70ebd..7fd6bab 100644 --- a/modules/services/networking/ssh/sshd.nix +++ b/modules/services/networking/ssh/sshd.nix @@ -15,29 +15,6 @@ let v == "forced-commands-only" || v == "no"; - hostKeyTypeNames = { -dsa1024 = "dsa"; # DSA has a key size limitation due to standards -rsa3072 = "rsa"; -ecdsa521 = "ecdsa"; - }; - - hostKeyTypeBits = { -dsa1024 = 1024; # =80 bits of security -rsa3072 = 3072; # =128 bits of security -ecdsa521 = 521; # =256 bits of security - }; - - # equivalent to 112 bit of security strength. Anything below this is very unsafe. - hostKeyTypeSafeBits = { -dsa1024 = 2048; -rsa3072 = 2048; -ecdsa521 = 255; - }; - - hktn = attrByPath [cfg.hostKeyType] (throw "unknown host key type `${cfg.hostKeyType}'") hostKeyTypeNames; - hktb = attrByPath [cfg.hostKeyType] (throw "unknown host key type `${cfg.hostKeyType}'") hostKeyTypeBits; - hktsb = attrByPath [cfg.hostKeyType] (throw "unknown host key type `${cfg.hostKeyType}'") hostKeyTypeSafeBits; - knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts); knownHostsFile = pkgs.writeText "ssh_known_hosts" ( @@ -176,25 +153,6 @@ in ''; }; - hostKeyType = mkOption { -default = "dsa1024"; -description = '' - Type of host key to generate (dsa1024/rsa3072/ecdsa521), if - the file specified by hostKeyPath does not - exist when the service starts. -''; - }; - - hostKeyPath = mkOption { -default = "/etc/ssh/ssh_host_${hktn}_key"; -description = '' - Path to the server's private key. If there is no key file - on this path, it will be generated when the service is - started for the first time. Otherwise, the ssh daemon will - use the specified key directly in-place. -''; - }; - authorizedKeysFiles = mkOption { default = []; description = "Files from with authorized keys are read."; @@ -286,21 +244,18 @@ in '' mkdir -m 0755 -p /etc/ssh -if ! test -f ${cfg.hostKeyPath}; then -ssh-keygen -t ${hktn} -b ${toString hktb} -f ${cfg.hostKeyPath} -N "" +if ! [ -f /etc/ssh/ssh_host_dsa_key ]; then +ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" fi -result=$(ssh-keygen -lf ${cfg.hostKeyPath}|awk '{ print ($1>=${toString hktsb}?1:0)}') -if [ "$result" -ne "1" ]; then - ERROR="SECURITY ALERT: SSH Host Key is too weak. Generate a strong key NOW." - echo "$ERROR" - echo "$ERROR" > /dev/console +if ! [ -f /etc/ssh/ssh_host_ecdsa_key ]; then +ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N "" fi ''; serviceConfig = { ExecStart = - "${pkgs.openssh}/sbin/sshd -h ${cfg.hostKeyPath} " + + "${pkgs.openssh}/sbin/sshd " + "-f ${pkgs.writeText "sshd_config" cfg.extraConfig}"; Restart = "always"; Type = "forking"; ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Hi, On 23/08/13 14:02, phree...@yandex.ru wrote: > I has been brought to our attention that the host keys created by the default > SSH daemon configuration are too weak. Citation needed please. According to who are DSA keys bad? OpenSSH's own "make host-key" installs a DSA key (in addition to RSA and ECDSA keys). -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
I am in favor of changing the default key type to something stronger than 1024 bit DSA for newly generated keys. I do not want any of my existing keys re-generated or replaced, though. Can the change in NixOS be made in such a way that accomplishs this? Peter ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
> > Thus, I'm giving a short notice to people who don't want surprises and > > then > > the default change will trigger generation of a new key. > > Is it possible to make ssh use/ store a key in a /key-type/* location? > Then you could switch forward/backward easily. That's more or less what happens except that it is ssh/key-type-* ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Excerpts from phreedom's message of Fri Aug 23 14:38:55 +0200 2013: > Thus, I'm giving a short notice to people who don't want surprises and then > the default change will trigger generation of a new key. Is it possible to make ssh use/ store a key in a /key-type/* location? Then you could switch forward/backward easily. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Just how weak are they, and why? Am 23.08.2013 14:02 schrieb : > I has been brought to our attention that the host keys created by the > default > SSH daemon configuration are too weak. > > Fix: > > If you don't care about compatibility with old and broken software: > services.openssh.hostKeyType = "ecdsa521"; > > Otherwise: > services.openssh.hostKeyType = "rsa3072"; > > Attempts to log into the host will cause SSH to complain about the key > change. > If you had anything that relies on passwordless logins, it will break. > > I have added a check for weak keys to sshd startup script: > f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2 > > I'll wait a couple of days and then change the hostKeyType default. Or > maybe > it should be done sooner? > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
В письме от Пятница 23 августа 2013 14:19:49 пользователь Marc Weber написал: > Or raise an exception unless a new option such as > allowWeakKeyTypes is set to true. Can't be done because keys aren't generated during the build time and could have been inherited from other system in fact. > There is a way to write assertions, grep for assertion in nixos. > > I'd like to to see such issues treated seriously and force the right > thing unless the admin really opts out. Thus, I'm giving a short notice to people who don't want surprises and then the default change will trigger generation of a new key. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] SECURITY: default SSH host keys are weak
Or raise an exception unless a new option such as allowWeakKeyTypes is set to true. There is a way to write assertions, grep for assertion in nixos. I'd like to to see such issues treated seriously and force the right thing unless the admin really opts out. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] SECURITY: default SSH host keys are weak
I has been brought to our attention that the host keys created by the default SSH daemon configuration are too weak. Fix: If you don't care about compatibility with old and broken software: services.openssh.hostKeyType = "ecdsa521"; Otherwise: services.openssh.hostKeyType = "rsa3072"; Attempts to log into the host will cause SSH to complain about the key change. If you had anything that relies on passwordless logins, it will break. I have added a check for weak keys to sshd startup script: f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2 I'll wait a couple of days and then change the hostKeyType default. Or maybe it should be done sooner? ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev