[pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation

[pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation

[Daniel Kral]

OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
is the base version that will be shipped for Debian 13 trixie [1]. Since
it has been marked deprecated for some time and generating DSA
signatures with OpenSSH 10.0 will fail, remove it.

[0] https://www.openssh.com/txt/release-10.0
[1] https://www.debian.org/releases/trixie/release-notes/whats-new.en.html

Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
Sending it as a RFC as I'm unsure if there's any other repercussions
removing it here. AFAICS it seems this is the only site where we
generate DSA signatures.

 src/PVE/LXC/Setup/Base.pm | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index 6bdfb8d..dbfc775 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -646,7 +646,6 @@ sub ssh_host_key_types_to_generate {
 
     return {
         rsa => 'ssh_host_rsa_key',
-        dsa => 'ssh_host_dsa_key',
         ecdsa => 'ssh_host_ecdsa_key',
         ed25519 => 'ssh_host_ed25519_key',
     };
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation

[Wolfgang Bumiller]

On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote:
> OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
> is the base version that will be shipped for Debian 13 trixie [1]. Since
> it has been marked deprecated for some time and generating DSA
> signatures with OpenSSH 10.0 will fail, remove it.

We should probably actively remove existing dsa host keys in case a
container template ships them, just to make sure older distro containers
won't end up all sharing the same DSA key when created on a trixie
pve...

In fact, maybe we should remove all files matching
`/etc/ssh/ssh_host_*` in the setup code, in case there are types we
missed?

> 
> [0] https://www.openssh.com/txt/release-10.0
> [1] https://www.debian.org/releases/trixie/release-notes/whats-new.en.html
> 
> Signed-off-by: Daniel Kral <d.kral@proxmox.com>
> ---
> Sending it as a RFC as I'm unsure if there's any other repercussions
> removing it here. AFAICS it seems this is the only site where we
> generate DSA signatures.
> 
>  src/PVE/LXC/Setup/Base.pm | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
> index 6bdfb8d..dbfc775 100644
> --- a/src/PVE/LXC/Setup/Base.pm
> +++ b/src/PVE/LXC/Setup/Base.pm
> @@ -646,7 +646,6 @@ sub ssh_host_key_types_to_generate {
>  
>      return {
>          rsa => 'ssh_host_rsa_key',
> -        dsa => 'ssh_host_dsa_key',
>          ecdsa => 'ssh_host_ecdsa_key',
>          ed25519 => 'ssh_host_ed25519_key',
>      };
> -- 
> 2.39.5


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation

[Fabian Grünbichler]

> Wolfgang Bumiller <w.bumiller@proxmox.com> hat am 26.06.2025 13:36 CEST geschrieben:
> 
>  
> On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote:
> > OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
> > is the base version that will be shipped for Debian 13 trixie [1]. Since
> > it has been marked deprecated for some time and generating DSA
> > signatures with OpenSSH 10.0 will fail, remove it.
> 
> We should probably actively remove existing dsa host keys in case a
> container template ships them, just to make sure older distro containers
> won't end up all sharing the same DSA key when created on a trixie
> pve...
> 
> In fact, maybe we should remove all files matching
> `/etc/ssh/ssh_host_*` in the setup code, in case there are types we
> missed?

that sounds like a good idea, but should probably be visibly logged.

for legacy distros (which are not the best fit for containers anyway)
it's always possible to generate keys if needed inside the container
afterwards..
 
> > [0] https://www.openssh.com/txt/release-10.0
> > [1] https://www.debian.org/releases/trixie/release-notes/whats-new.en.html
> > 
> > Signed-off-by: Daniel Kral <d.kral@proxmox.com>
> > ---
> > Sending it as a RFC as I'm unsure if there's any other repercussions
> > removing it here. AFAICS it seems this is the only site where we
> > generate DSA signatures.
> > 
> >  src/PVE/LXC/Setup/Base.pm | 1 -
> >  1 file changed, 1 deletion(-)
> > 
> > diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
> > index 6bdfb8d..dbfc775 100644
> > --- a/src/PVE/LXC/Setup/Base.pm
> > +++ b/src/PVE/LXC/Setup/Base.pm
> > @@ -646,7 +646,6 @@ sub ssh_host_key_types_to_generate {
> >  
> >      return {
> >          rsa => 'ssh_host_rsa_key',
> > -        dsa => 'ssh_host_dsa_key',
> >          ecdsa => 'ssh_host_ecdsa_key',
> >          ed25519 => 'ssh_host_ed25519_key',
> >      };
> > -- 
> > 2.39.5


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation

[Daniel Kral]

On 6/27/25 07:04, Fabian Grünbichler wrote:
> 
>> Wolfgang Bumiller <w.bumiller@proxmox.com> hat am 26.06.2025 13:36 CEST geschrieben:
>>
>>   
>> On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote:
>>> OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
>>> is the base version that will be shipped for Debian 13 trixie [1]. Since
>>> it has been marked deprecated for some time and generating DSA
>>> signatures with OpenSSH 10.0 will fail, remove it.
>>
>> We should probably actively remove existing dsa host keys in case a
>> container template ships them, just to make sure older distro containers
>> won't end up all sharing the same DSA key when created on a trixie
>> pve...
>>
>> In fact, maybe we should remove all files matching
>> `/etc/ssh/ssh_host_*` in the setup code, in case there are types we
>> missed?
> 
> that sounds like a good idea, but should probably be visibly logged.
> 
> for legacy distros (which are not the best fit for containers anyway)
> it's always possible to generate keys if needed inside the container
> afterwards..

So something like

     sub remove_existing_ssh_host_keys {
         my ($self, $conf) = @_;

         my $ssh_dir = "$self->{rootdir}/etc/ssh";

         return if !-d $ssh_dir;

         my $keyfiles = [];
         PVE::Tools::dir_glob_foreach(
             $ssh_dir,
             qr/ssh_host_.*/,
             sub {
                 my ($key_filename) = @_;

                 next if $self->ct_is_file_ignored($key_filename);

                 print "Removing pre-existing ssh host key 
'$key_filename' ...\n";

                 push $keyfiles->@*, $key_filename;
             }
         );

         $self->protected_call(sub {
             for my $key_filename ($keyfiles->@*) {
                 $self->ct_unlink($key_filename);
             }
         });
     }

and calling it in PVE::LXC::Setup::Base::post_create_hook(...), so that 
unmanaged containers are not affected by this?


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation

[Fabian Grünbichler]

> Daniel Kral <d.kral@proxmox.com> hat am 27.06.2025 10:20 CEST geschrieben:
> 
>  
> On 6/27/25 07:04, Fabian Grünbichler wrote:
> > 
> >> Wolfgang Bumiller <w.bumiller@proxmox.com> hat am 26.06.2025 13:36 CEST geschrieben:
> >>
> >>   
> >> On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote:
> >>> OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
> >>> is the base version that will be shipped for Debian 13 trixie [1]. Since
> >>> it has been marked deprecated for some time and generating DSA
> >>> signatures with OpenSSH 10.0 will fail, remove it.
> >>
> >> We should probably actively remove existing dsa host keys in case a
> >> container template ships them, just to make sure older distro containers
> >> won't end up all sharing the same DSA key when created on a trixie
> >> pve...
> >>
> >> In fact, maybe we should remove all files matching
> >> `/etc/ssh/ssh_host_*` in the setup code, in case there are types we
> >> missed?
> > 
> > that sounds like a good idea, but should probably be visibly logged.
> > 
> > for legacy distros (which are not the best fit for containers anyway)
> > it's always possible to generate keys if needed inside the container
> > afterwards..
> 
> So something like
> 
>      sub remove_existing_ssh_host_keys {
>          my ($self, $conf) = @_;
> 
>          my $ssh_dir = "$self->{rootdir}/etc/ssh";
> 
>          return if !-d $ssh_dir;
> 
>          my $keyfiles = [];
>          PVE::Tools::dir_glob_foreach(
>              $ssh_dir,
>              qr/ssh_host_.*/,
>              sub {
>                  my ($key_filename) = @_;
> 
>                  next if $self->ct_is_file_ignored($key_filename);
> 
>                  print "Removing pre-existing ssh host key 
> '$key_filename' ...\n";
> 
>                  push $keyfiles->@*, $key_filename;
>              }
>          );
> 
>          $self->protected_call(sub {
>              for my $key_filename ($keyfiles->@*) {
>                  $self->ct_unlink($key_filename);
>              }
>          });
>      }
> 
> and calling it in PVE::LXC::Setup::Base::post_create_hook(...), so that 
> unmanaged containers are not affected by this?

we already have PVE::LXC::Setup::rewrite_ssh_host_keys which AFAICT is
called unconditionally in Setup::post_create_hook even for unmanaged
containers, given that precedent I think we can just extend that..

while we are at it we could add .ignore support if we really want to
have an option of skipping deletion and regeneration..


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation

[Daniel Kral]

On 6/27/25 10:46, Fabian Grünbichler wrote:
> 
>> Daniel Kral <d.kral@proxmox.com> hat am 27.06.2025 10:20 CEST geschrieben:
>>
>>   
>> On 6/27/25 07:04, Fabian Grünbichler wrote:
>>>
>>>> Wolfgang Bumiller <w.bumiller@proxmox.com> hat am 26.06.2025 13:36 CEST geschrieben:
>>>>
>>>>    
>>>> On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote:
>>>>> OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
>>>>> is the base version that will be shipped for Debian 13 trixie [1]. Since
>>>>> it has been marked deprecated for some time and generating DSA
>>>>> signatures with OpenSSH 10.0 will fail, remove it.
>>>>
>>>> We should probably actively remove existing dsa host keys in case a
>>>> container template ships them, just to make sure older distro containers
>>>> won't end up all sharing the same DSA key when created on a trixie
>>>> pve...
>>>>
>>>> In fact, maybe we should remove all files matching
>>>> `/etc/ssh/ssh_host_*` in the setup code, in case there are types we
>>>> missed?
>>>
>>> that sounds like a good idea, but should probably be visibly logged.
>>>
>>> for legacy distros (which are not the best fit for containers anyway)
>>> it's always possible to generate keys if needed inside the container
>>> afterwards..
>>
>> So something like
>>
>>       sub remove_existing_ssh_host_keys {
>>           my ($self, $conf) = @_;
>>
>>           my $ssh_dir = "$self->{rootdir}/etc/ssh";
>>
>>           return if !-d $ssh_dir;
>>
>>           my $keyfiles = [];
>>           PVE::Tools::dir_glob_foreach(
>>               $ssh_dir,
>>               qr/ssh_host_.*/,
>>               sub {
>>                   my ($key_filename) = @_;
>>
>>                   next if $self->ct_is_file_ignored($key_filename);
>>
>>                   print "Removing pre-existing ssh host key
>> '$key_filename' ...\n";
>>
>>                   push $keyfiles->@*, $key_filename;
>>               }
>>           );
>>
>>           $self->protected_call(sub {
>>               for my $key_filename ($keyfiles->@*) {
>>                   $self->ct_unlink($key_filename);
>>               }
>>           });
>>       }
>>
>> and calling it in PVE::LXC::Setup::Base::post_create_hook(...), so that
>> unmanaged containers are not affected by this?
> 
> we already have PVE::LXC::Setup::rewrite_ssh_host_keys which AFAICT is
> called unconditionally in Setup::post_create_hook even for unmanaged
> containers, given that precedent I think we can just extend that..

Right, then I'll extend that one instead.

> 
> while we are at it we could add .ignore support if we really want to
> have an option of skipping deletion and regeneration..

I added the check ct_is_file_ignored($key_filename) because 
ct_unlink($key_filename) later checks against that and then the log 
message would be wrong, right? Or should the later rewrite_ssh_host_keys 
part also acknowledge ct_is_file_ignored(...)?


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation

[Fabian Grünbichler]

> Daniel Kral <d.kral@proxmox.com> hat am 27.06.2025 10:59 CEST geschrieben:
> 
>  
> On 6/27/25 10:46, Fabian Grünbichler wrote:
> > 
> >> Daniel Kral <d.kral@proxmox.com> hat am 27.06.2025 10:20 CEST geschrieben:
> >>
> >>   
> >> On 6/27/25 07:04, Fabian Grünbichler wrote:
> >>>
> >>>> Wolfgang Bumiller <w.bumiller@proxmox.com> hat am 26.06.2025 13:36 CEST geschrieben:
> >>>>
> >>>>    
> >>>> On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote:
> >>>>> OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
> >>>>> is the base version that will be shipped for Debian 13 trixie [1]. Since
> >>>>> it has been marked deprecated for some time and generating DSA
> >>>>> signatures with OpenSSH 10.0 will fail, remove it.
> >>>>
> >>>> We should probably actively remove existing dsa host keys in case a
> >>>> container template ships them, just to make sure older distro containers
> >>>> won't end up all sharing the same DSA key when created on a trixie
> >>>> pve...
> >>>>
> >>>> In fact, maybe we should remove all files matching
> >>>> `/etc/ssh/ssh_host_*` in the setup code, in case there are types we
> >>>> missed?
> >>>
> >>> that sounds like a good idea, but should probably be visibly logged.
> >>>
> >>> for legacy distros (which are not the best fit for containers anyway)
> >>> it's always possible to generate keys if needed inside the container
> >>> afterwards..
> >>
> >> So something like
> >>
> >>       sub remove_existing_ssh_host_keys {
> >>           my ($self, $conf) = @_;
> >>
> >>           my $ssh_dir = "$self->{rootdir}/etc/ssh";
> >>
> >>           return if !-d $ssh_dir;
> >>
> >>           my $keyfiles = [];
> >>           PVE::Tools::dir_glob_foreach(
> >>               $ssh_dir,
> >>               qr/ssh_host_.*/,
> >>               sub {
> >>                   my ($key_filename) = @_;
> >>
> >>                   next if $self->ct_is_file_ignored($key_filename);
> >>
> >>                   print "Removing pre-existing ssh host key
> >> '$key_filename' ...\n";
> >>
> >>                   push $keyfiles->@*, $key_filename;
> >>               }
> >>           );
> >>
> >>           $self->protected_call(sub {
> >>               for my $key_filename ($keyfiles->@*) {
> >>                   $self->ct_unlink($key_filename);
> >>               }
> >>           });
> >>       }
> >>
> >> and calling it in PVE::LXC::Setup::Base::post_create_hook(...), so that
> >> unmanaged containers are not affected by this?
> > 
> > we already have PVE::LXC::Setup::rewrite_ssh_host_keys which AFAICT is
> > called unconditionally in Setup::post_create_hook even for unmanaged
> > containers, given that precedent I think we can just extend that..
> 
> Right, then I'll extend that one instead.
> 
> > 
> > while we are at it we could add .ignore support if we really want to
> > have an option of skipping deletion and regeneration..
> 
> I added the check ct_is_file_ignored($key_filename) because 
> ct_unlink($key_filename) later checks against that and then the log 
> message would be wrong, right? Or should the later rewrite_ssh_host_keys 
> part also acknowledge ct_is_file_ignored(...)?

yes, if we ignore something then the file should be neither deleted nor
rewritten, IMHO. it should probably be logged that it is left
untouched though ;)


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation

[Daniel Kral]

On 6/27/25 10:46, Fabian Grünbichler wrote:
> we already have PVE::LXC::Setup::rewrite_ssh_host_keys which AFAICT is
> called unconditionally in Setup::post_create_hook even for unmanaged
> containers, given that precedent I think we can just extend that..

Oh wait, just was reminded that rewrite_ssh_host_keys is unconditionally 
called in Setup::post_create_hook, but ssh_host_key_types_to_generate is 
overwritten in Setup::Unmanaged to return empty, i.e. do not rewrite any 
ssh host keys.

Should we still extend it here or keep it in 
Setup::Base::post_create_hook(...)? Else I send a tested patch with 
those changes afterwards :)


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation

[Fabian Grünbichler]

> Daniel Kral <d.kral@proxmox.com> hat am 27.06.2025 11:44 CEST geschrieben:
> 
>  
> On 6/27/25 10:46, Fabian Grünbichler wrote:
> > we already have PVE::LXC::Setup::rewrite_ssh_host_keys which AFAICT is
> > called unconditionally in Setup::post_create_hook even for unmanaged
> > containers, given that precedent I think we can just extend that..
> 
> Oh wait, just was reminded that rewrite_ssh_host_keys is unconditionally 
> called in Setup::post_create_hook, but ssh_host_key_types_to_generate is 
> overwritten in Setup::Unmanaged to return empty, i.e. do not rewrite any 
> ssh host keys.
> 
> Should we still extend it here or keep it in 
> Setup::Base::post_create_hook(...)? Else I send a tested patch with 
> those changes afterwards :)

in that case both would be fine, and rewriting and deletion should both
be skipped for unmanaged.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel