Re: [arch-dev-public] News item for openssh-7.0p1-1
[2015-08-13 12:34:07 +0900] Gaetan Bisson: > Oh, sure. Here's a new proposal: Better wording. Title: openssh-7.0p1 deprecates ssh-dss keys In light of recently discovered vulnerabilities, the new `openssh-7.0p1` release deprecates keys of `ssh-dss` type, also known as DSA keys. See the [upstream announcement](http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html) for details. Before updating and restarting `sshd` on a remote host, make sure you do not rely on such keys for connecting to it. To enumerate DSA keys granting access to a given account, use: grep ssh-dss ~/.ssh/authorized_keys If you have any, ensure you have alternative means of logging in, such as key pairs of a different type, or password authentication. Finally, host keys of `ssh-dss` type being deprecated too, you might have to confirm a new fingerprint (for a host key of a different type) when connecting to a freshly updated server. -- Gaetan signature.asc Description: PGP signature
Re: [arch-dev-public] News item for openssh-7.0p1-1
[2015-08-12 20:24:07 +0200] Jens Adam:
> Thu, 13 Aug 2015 00:03:59 +0900
> Gaetan Bisson :
>
> > Hi,
> >
> > I'd like to suggest the following piece of news to be posted when
> > openssh-7.0p1-1 lands in [core]:
> >
> >
> > The new openssh-7.0p1 release deprecates certain types of SSH keys
> > that are now considered vulnerable. For details, see the
> > [upstream
> > announcement](http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html).
> >
> > Before updating and restarting sshd on remote hosts, if you rely on
> > SSH keys for authentication, please make sure that you have a recent
> > key pair set up, or alternative means of logging in (such as using
> > password authentication).
>
> Perhaps you could clarify that this only affects people using ssh-dss
> keys for authentication and how to check for them, e.g. "use 'grep
> ssh-dss ~/.ssh/{known_hosts,authorized_keys*,*.pub}' to find legacy
> keys".
Oh, sure. Here's a new proposal:
The new `openssh-7.0p1` release deprecates keys of `ssh-dss` type (also
known as DSA) in light of recently discovered vulnerabilities. For
details, see the
[upstream
announcement](http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html).
Before updating and restarting sshd on remote hosts, make sure you do
not rely solely on DSA keys for connecting to it. You may enumerate DSA
keys that allow connecting to a remote account with:
grep ssh-dss ~/.ssh/authorized_keys
If you have any, ensure you have alternative means of logging in (such
a key pair of a different type, or password authentication).
Note that host keys of `ssh-dss` type are also deprecated; if you were
relying on them to connect to a server, after updating it, you will have
to confirm the fingerprint of a key of another type to reconnect.
--
Gaetan
signature.asc
Description: PGP signature
Re: [arch-dev-public] News item for openssh-7.0p1-1
[2015-08-12 23:15:34 +0200] Christian Hesse: > Gaetan Bisson on Thu, 2015/08/13 00:03: > > Hi, > > > > I'd like to suggest the following piece of news to be posted when > > openssh-7.0p1-1 lands in [core]: > > > > > > The new openssh-7.0p1 release deprecates certain types of SSH keys that > > are now considered vulnerable. For details, see the > > [upstream > > announcement](http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html). > > > > Before updating and restarting sshd on remote hosts, if you rely on SSH > > keys for authentication, please make sure that you have a recent key > > pair set up, or alternative means of logging in (such as using password > > authentication). > > This does not only apply for public key authentication but for host keys as > well. Do we want to add a note about that? If updating your openssh client breaks connectivity to an old SSH server, that's fine, you can just roll back the openssh client, fix things, and update later. The only issue is updating servers. But host keys are not a problem because sshdgenkeys.service generates all key types. If a user deliberately chose to only trust a DSS key (by default, it would have been RSA keys) then they just have to "blindly" trust a key of another type to connect to the updated server. That does not sound like a big issue to me. Cheers. -- Gaetan signature.asc Description: PGP signature
Re: [arch-dev-public] News item for openssh-7.0p1-1
Gaetan Bisson on Thu, 2015/08/13 00:03:
> Hi,
>
> I'd like to suggest the following piece of news to be posted when
> openssh-7.0p1-1 lands in [core]:
>
>
> The new openssh-7.0p1 release deprecates certain types of SSH keys that
> are now considered vulnerable. For details, see the
> [upstream
> announcement](http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html).
>
> Before updating and restarting sshd on remote hosts, if you rely on SSH
> keys for authentication, please make sure that you have a recent key
> pair set up, or alternative means of logging in (such as using password
> authentication).
This does not only apply for public key authentication but for host keys as
well. Do we want to add a note about that?
Old algorithms can be used when explicitly enabling them, though... ;)
The systemd unit sshdgenkeys.service still generates a dsa host key. Do we
want to change that?
--
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Chris get my mail address:*/=0;b=c[a++];)
putchar(b-1/(/* gcc -o sig sig.c && ./sig*/b/42*2-3)*42);}
pgpvErTMUl8p3.pgp
Description: OpenPGP digital signature
[arch-dev-public] News item for openssh-7.0p1-1
Hi, I'd like to suggest the following piece of news to be posted when openssh-7.0p1-1 lands in [core]: The new openssh-7.0p1 release deprecates certain types of SSH keys that are now considered vulnerable. For details, see the [upstream announcement](http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html). Before updating and restarting sshd on remote hosts, if you rely on SSH keys for authentication, please make sure that you have a recent key pair set up, or alternative means of logging in (such as using password authentication). -- Gaetan
Re: [arch-dev-public] [core] build failures
On 12/08/15 22:53, Gaetan Bisson wrote: > [2015-08-12 20:42:21 +1000] Allan McRae: >> Failure in package(): >> FAIL: ldns - build failed > > It works for me. Do you build from trunk? > I built it from a checkout on the 8th. I see you fixed the build since then. Works now. A
Re: [arch-dev-public] [core] build failures
[2015-08-12 20:42:21 +1000] Allan McRae: > Failure in package(): > FAIL: ldns - build failed It works for me. Do you build from trunk? -- Gaetan
Re: [arch-dev-public] [core] build failures
On Wed, Aug 12, 2015 at 12:42 PM, Allan McRae wrote: > FAIL: gummiboot - build failed IMHO this should just be dropped. -- Andrea
[arch-dev-public] [core] build failures
Hi all, I have through the build failures I noticed in [core] when testing for reproducible builds. Most were PKGBUILDs missing the validpgpkey array, which I have fixed. Here are the details for the rest: Failure in build: FAIL: grub - build failed FAIL: gummiboot - build failed FAIL: isdn4k-utils - build failed FAIL: ncurses - build failed FAIL: reiserfsprogs - build failed Failure in package(): FAIL: ldns - build failed FAIL: perl - build failed Source unavailble: FAIL: ipw2100-fw - build failed FAIL: ipw2200-fw - build failed FAIL: lvm2 - build failed FAIL: xinetd - build failed Checksum failure: FAIL: nilfs-utils - build failed PGP failure: FAIL: findutils - build failed (PGP key is so old that gnupg refuses to retrieve it) It would be great if these could be addressed. Allan
[arch-dev-public] Signoff report for [testing]
=== Signoff report for [testing] === https://www.archlinux.org/packages/signoffs/ There are currently: * 22 new packages in last 24 hours * 0 known bad packages * 0 packages not accepting signoffs * 28 fully signed off packages * 35 packages missing signoffs * 23 packages older than 14 days (Note: the word 'package' as used here refers to packages as grouped by pkgbase, architecture, and repository; e.g., one PKGBUILD produces one package per architecture, even if it is a split package.) == New packages in [testing] in last 24 hours (22 total) == * man-pages-4.02-1 (any) * tzdata-2015f-1 (any) * gnupg-2.1.7-1 (i686) * linux-4.1.5-1 (i686) * linux-lts-3.14.50-1 (i686) * openssh-7.0p1-1 (i686) * pacman-4.2.1-3 (i686) * sqlite-3.8.11.1-2 (i686) * gnupg-2.1.7-1 (x86_64) * linux-4.1.5-1 (x86_64) * linux-lts-3.14.50-1 (x86_64) * openssh-7.0p1-1 (x86_64) * pacman-4.2.1-3 (x86_64) * sqlite-3.8.11.1-2 (x86_64) * nvidia-352.30-3 (i686) * nvidia-304xx-304.125-23 (i686) * nvidia-340xx-340.76-14 (i686) * polkit-0.113-2 (i686) * nvidia-352.30-3 (x86_64) * nvidia-304xx-304.125-23 (x86_64) * nvidia-340xx-340.76-14 (x86_64) * polkit-0.113-2 (x86_64) == Incomplete signoffs for [core] (17 total) == * man-pages-4.02-1 (any) 0/2 signoffs * tzdata-2015f-1 (any) 0/2 signoffs * e2fsprogs-1.42.13-1 (i686) 0/1 signoffs * efivar-0.21-1 (i686) 0/1 signoffs * iproute2-4.1.1-1 (i686) 0/1 signoffs * libidn-1.32-1 (i686) 0/1 signoffs * libseccomp-2.2.3-1 (i686) 0/1 signoffs * linux-4.1.5-1 (i686) 0/1 signoffs * linux-lts-3.14.50-1 (i686) 0/1 signoffs * pacman-4.2.1-3 (i686) 0/1 signoffs * sqlite-3.8.11.1-2 (i686) 0/1 signoffs * efivar-0.21-1 (x86_64) 0/2 signoffs * ldns-1.6.17-3 (x86_64) 1/2 signoffs * linux-4.1.5-1 (x86_64) 0/2 signoffs * linux-lts-3.14.50-1 (x86_64) 0/2 signoffs * pacman-4.2.1-3 (x86_64) 0/2 signoffs * sqlite-3.8.11.1-2 (x86_64) 1/2 signoffs == Incomplete signoffs for [extra] (18 total) == * exiv2-0.25-2 (i686) 0/1 signoffs * graphite-1:1.3.0-1 (i686) 0/1 signoffs * nvidia-352.30-3 (i686) 0/1 signoffs * nvidia-304xx-304.125-23 (i686) 0/1 signoffs * nvidia-340xx-340.76-14 (i686) 0/1 signoffs * polkit-0.113-2 (i686) 0/1 signoffs * sddm-0.11.0-2 (i686) 0/1 signoffs * subversion-1.9.0-1 (i686) 0/1 signoffs * twisted-15.3.0-1 (i686) 0/1 signoffs * exiv2-0.25-2 (x86_64) 0/2 signoffs * graphite-1:1.3.0-1 (x86_64) 0/2 signoffs * nvidia-352.30-3 (x86_64) 0/2 signoffs * nvidia-304xx-304.125-23 (x86_64) 0/2 signoffs * nvidia-340xx-340.76-14 (x86_64) 0/2 signoffs * polkit-0.113-2 (x86_64) 0/2 signoffs * sddm-0.11.0-2 (x86_64) 0/2 signoffs * subversion-1.9.0-1 (x86_64) 0/2 signoffs * twisted-15.3.0-1 (x86_64) 0/2 signoffs == Completed signoffs (28 total) == * wireless-regdb-2015.06.05-1 (any) * ed-1.12-1 (i686) * gettext-0.19.5-1 (i686) * gnupg-2.1.7-1 (i686) * gpgme-1.5.5-1 (i686) * hdparm-9.48-1 (i686) * kbd-2.0.3-1 (i686) * ldns-1.6.17-3 (i686) * libassuan-2.2.1-1 (i686) * openssh-7.0p1-1 (i686) * pam-1.2.1-1 (i686) * pinentry-0.9.5-1 (i686) * xfsprogs-3.2.3-1 (i686) * e2fsprogs-1.42.13-1 (x86_64) * ed-1.12-1 (x86_64) * gettext-0.19.5-1 (x86_64) * gnupg-2.1.7-1 (x86_64) * gpgme-1.5.5-1 (x86_64) * hdparm-9.48-1 (x86_64) * iproute2-4.1.1-1 (x86_64) * kbd-2.0.3-1 (x86_64) * libassuan-2.2.1-1 (x86_64) * libidn-1.32-1 (x86_64) * libseccomp-2.2.3-1 (x86_64) * openssh-7.0p1-1 (x86_64) * pam-1.2.1-1 (x86_64) * pinentry-0.9.5-1 (x86_64) * xfsprogs-3.2.3-1 (x86_64) == All packages in [testing] for more than 14 days (23 total) == * hdparm-9.48-1 (i686), since 2015-07-09 * hdparm-9.48-1 (x86_64), since 2015-07-09 * libassuan-2.2.1-1 (i686), since 2015-07-09 * libassuan-2.2.1-1 (x86_64), since 2015-07-09 * pinentry-0.9.5-1 (i686), since 2015-07-09 * pinentry-0.9.5-1 (x86_64), since 2015-07-09 * gpgme-1.5.5-1 (i686), since 2015-07-09 * gpgme-1.5.5-1 (x86_64), since 2015-07-09 * wireless-regdb-2015.06.05-1 (any), since 2015-07-09 * xfsprogs-3.2.3-1 (i686), since 2015-07-10 * xfsprogs-3.2.3-1 (x86_64), since 2015-07-10 * ed-1.12-1 (i686), since 2015-07-10 * ed-1.12-1 (x86_64), since 2015-07-10 * gettext-0.19.5-1 (i686), since 2015-07-11 * gettext-0.19.5-1 (x86_64), since 2015-07-11 * kbd-2.0.3-1 (i686), since 2015-07-14 * kbd-2.0.3-1 (x86_64), since 2015-07-14 * efivar-0.21-1 (i686), since 2015-07-16 * efivar-0.21-1 (x86_64), since 2015-07-16 * pam-1.2.1-1 (i686), since 2015-07-18 * pam-1.2.1-1 (x86_64), since 2015-07-18 * libseccomp-2.2.3-1 (i686), since 2015-07-20 * libseccomp-2.2.3-1 (x86_64), since 2015-07-20 == Top five in signoffs in last 24 hours == 1. bisson - 4 signoffs 2. foutrelis - 3 signoffs 3. eworm - 2 signoffs
