From nobody Sat May 10 19:46:18 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZvxFX5PTdz5vl7W for ; Sat, 10 May 2025 19:46:24 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx-01.divo.sbone.de (mx-01.divo.sbone.de [IPv6:2003:a:140a:2200:6:594:fffe:19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256) (Client CN "mx-01.divo.sbone.de", Issuer "E5" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZvxFX0YWgz3nhV; Sat, 10 May 2025 19:46:24 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=zabbadoz.net header.s=20240622 header.b=TceaD3kU; spf=pass (mx1.freebsd.org: domain of bzeeb-lists@lists.zabbadoz.net designates 2003:a:140a:2200:6:594:fffe:19 as permitted sender) smtp.mailfrom=bzeeb-lists@lists.zabbadoz.net; dmarc=pass (policy=none) header.from=zabbadoz.net Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by mx-01.divo.sbone.de (Postfix) with ESMTPS id A7AFCA64805; Sat, 10 May 2025 19:46:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zabbadoz.net; s=20240622; t=1746906380; bh=PKoesdmub72bJXnckr0GFgK7N60b3d+W5uK0Dga9uiU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=TceaD3kUzD96yBMs4S/QscT36C0D9qoUlPdOUUAjHl3d+QcBWKGU+oyttPqHJw6Ro dafSfbgyPjPvYnuZi8EqaGMqiteVWiDSuwkvA6J8173y9+16azI6e3KlzG+y0B9FXJ I5oGR/N3lcUM1HQOwfIK14TEjh1v4tn70Q6k4MECZGOF3BcBRWaKkaLd9hDB9ymRsN jobAvXK7tUlvg5IWbk2kE08CC+kMUSoMkB7O2813G0WjXskIljnHpNkc9BA+AWwFWT veRSg6VKR9+e6p2tEOtH5qGqtcvBi2aA0R4XPe3TT8bIoDvGm6fzyJhHzUgtfGeeyf xPneQCRAsEdImbK/MGwuldJt8b5AE4iTp9+wN00RLuWM6voqRXIHZIfVsA6f496vhE JexDiumLca0Dvrlaayzs4LdYZHaAxgb5LJOGnPpqqYJhJkx7DoM/QVnV4nXhRqtfU1 UnhoXwwAPb1gFgz7eUuxm48CYY+luPeIaAIpZ6vWeGnOtswj2W7QZ+bi5q5a8LsXV2 /DC41joc4zID3rqm4tmkU7hdUAEZuWITGDRw50ondUbF3n8q5eLUYMLofV42/vnnLt 2E/AotgGYkVZHU0bbo1e0K5Pg4ey3MgyifNLPx77OjR7u4ZT8fXpWIvEEpOyul9a0v bXCtspk++nGDLaqMTKcfZ/cQ= Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 5D0DE2D029E0; Sat, 10 May 2025 19:46:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024) with ESMTP id FDegGVWj9fq7; Sat, 10 May 2025 19:46:21 +0000 (UTC) Received: from strong-rtwn0.sbone.de (strong-rtwn0.sbone.de [IPv6:fde9:577b:c1a9:4902:3e64:cfff:fe55:bc80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 4CC4B2D029D8; Sat, 10 May 2025 19:46:21 +0000 (UTC) Date: Sat, 10 May 2025 19:46:18 +0000 (UTC) From: "Bjoern A. Zeeb" To: Ed Maste cc: freebsd-security@freebsd.org Subject: Re: Heads-up: DSA key support being removed from OpenSSH In-Reply-To: Message-ID: <263908r7-69n4-48n0-22oo-pr1sn1p87779@yvfgf.mnoonqbm.arg> References: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> <1a1ceefc-ed0b-4602-b250-2a407dd7dbd1@mtasv.net> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 4ZvxFX0YWgz3nhV X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.88 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.99)[-0.991]; NEURAL_HAM_SHORT(-0.89)[-0.891]; DMARC_POLICY_ALLOW(-0.50)[zabbadoz.net,none]; R_DKIM_ALLOW(-0.20)[zabbadoz.net:s=20240622]; R_SPF_ALLOW(-0.20)[+ip6:2003:a:140a:2200:6:594:fffe:19:c]; MIME_GOOD(-0.10)[text/plain]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:3320, ipnet:2003::/19, country:DE]; RCPT_COUNT_TWO(0.00)[2]; RCVD_COUNT_THREE(0.00)[4]; FROM_HAS_DN(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[zabbadoz.net:+] On Tue, 15 Apr 2025, Ed Maste wrote: Hi, just replying to the last email in the thread. > On Thu, 10 Apr 2025 at 19:21, Dr Jim Allen > wrote: >> >> >> Two things. >> >> a) Why remove the build config option? >> I know the code is being removed at some point, but until it is, why not >> leave it as a option (defaulted off)? > > There's no user-facing interface to run upstream's configure script as > part of the FreeBSD build system, so enabling DSA in the FreeBSD base > system already required having a patched tree. Committing this removal > now has no user-facing impact, but means that we can separately decide > what to merge to stable branches: in particular, it is possible for us > to merge 10.0p2 to stable branches with DSA support still present. You have to love OpenBSD folks. They don't even make it graceful: (made a sample config after hitting it for demonstration purposes) ~/.ssh/config line 6: Bad key types '+ssh-rsa,ssh-dss'. ~/.ssh/config: terminating, 1 bad configuration options You need to edit all your config down and remove the now invalid key type or you cannot ssh out to anything anymore. Could have ignored that Host entry and be done... Ed, I think it warrents an UPDATING entry... That also means dedicated config files for main vs. stable machines for the grace period we have to still be able to use an older version... or concatenate two files depending on freebsd-version -u or other magic as ssh -F they only accept the last given opntion as well and not multiple. *sigh* I assume alias ssh-dss ssh -F ~/.ssh/config.dss or similar will do the jobs for now. /bz -- Bjoern A. Zeeb r15:7