Re: Removing DSS and other unreasonable algorithms (Was: Missing signed-off for pkg chacha20 patches)

["Richard W.M. Jones" <rjones@xxxxxxxxxx>]

On Tue, Jun 19, 2018 at 03:45:26PM +0100, Richard W.M. Jones wrote:
> On Tue, Jun 19, 2018 at 04:35:49PM +0200, Jakub Jelen wrote:
> > On Thu, 2018-06-14 at 16:03 +0200, Andreas Schneider wrote:
> > > [...]
> > > 
> > > Looks like openssh removed support for ssh-dss. At least my openssh
> > > 7.7 
> > > doesn't know about it at all.
> > 
> > The OpenSSH 7.7p1 still has the support for ssh-dss keys, but they are
> > disabled by default for any use, unless you enable them using
> > PubkeyAcceptedKeyTypes and friend configuration options. The reason why
> > it is still there is probably because the DSA keys are mandatory part
> > (REQUIRED) of RFC4253 (Section 6.6).
> > 
> > > I would remove it from libssh after the release of 0.8 together with
> > > SSHv1 
> > > support.
> > > 
> > > I think we can remove it from pkd already? Comments?
> > 
> > Removing the ancient SSHv1, blowfish and other unreasonable algorithms
> > makes sense for me.
> 
> Can we keep them in some way that allows us to connect to
> RHEL 5 - era systems?
> 
> The background to this is that we currently use libssh2 (and intend to
> use libssh in the near future) to move VM workloads off old Xen
> machines, and we do all that over ssh.
> 
> I'll just boot up a RHEL 5 instance to find out what algorithms it
> offers ...

Attached is the ssh -v log from connecting to RHEL 5.11 using
recent OpenSSH client.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v

OpenSSH_7.6p1, OpenSSL 1.1.0g-fips  2 Nov 2017
debug1: Reading configuration data /home/rjones/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for *
debug1: Connecting to 192.168.0.81 [192.168.0.81] port 22.
debug1: Connection established.
debug1: identity file /home/rjones/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/rjones/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/rjones/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/rjones/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/rjones/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/rjones/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/rjones/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/rjones/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4* compat 0x00000000
debug1: Authenticating to 192.168.0.81:22 as 'rjones'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug1: kex: diffie-hellman-group-exchange-sha1 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha1 need=32 dh_need=32
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:PYACqyT43EOlJLA347l94NBWkLnlcOvzb1+HQ1HGPMU
debug1: Host '192.168.0.81' is known and matches the RSA host key.
debug1: Found key in /home/rjones/.ssh/known_hosts:184
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1000)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1000)

debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:KHzfS4DzzrkDQR2ElIkDrf/6I+5zY2h35castriMv/o /home/rjones/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: RSA SHA256:SnCnRBZmrJBCiBO2LbKH1BGPTEzG0Q1+MgR19rbEip4 /home/rjones/.ssh/id_rsa-fedora
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /home/rjones/.ssh/id_dsa
debug1: Trying private key: /home/rjones/.ssh/id_ecdsa
debug1: Trying private key: /home/rjones/.ssh/id_ed25519
debug1: Next authentication method: password
debug1: Authentication succeeded (password).
Authenticated to 192.168.0.81 ([192.168.0.81]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8