From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id C59381FF15C
	for <inbox@lore.proxmox.com>; Fri, 27 Jun 2025 07:04:56 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id B684FC9A7;
	Fri, 27 Jun 2025 07:05:30 +0200 (CEST)
Date: Fri, 27 Jun 2025 07:04:56 +0200 (CEST)
From: =?UTF-8?Q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
To: Wolfgang Bumiller <w.bumiller@proxmox.com>,
 Daniel Kral <d.kral@proxmox.com>
Message-ID: <2091234171.9248.1751000696115@192.168.2.153>
In-Reply-To: <36vrlauguwm7hnyjc3gybfea4tuqiymodmfkycmhydyo3bfweq@wsuqmlnmuhjc>
References: <20250625095631.85466-1-d.kral@proxmox.com>
 <36vrlauguwm7hnyjc3gybfea4tuqiymodmfkycmhydyo3bfweq@wsuqmlnmuhjc>
MIME-Version: 1.0
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.6-Rev78
X-Originating-Client: open-xchange-appsuite
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.044 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [RFC container] setup: remove deprecated dsa from
 ssh host key generation
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: pve-devel@lists.proxmox.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>


> Wolfgang Bumiller <w.bumiller@proxmox.com> hat am 26.06.2025 13:36 CEST geschrieben:
> 
>  
> On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote:
> > OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
> > is the base version that will be shipped for Debian 13 trixie [1]. Since
> > it has been marked deprecated for some time and generating DSA
> > signatures with OpenSSH 10.0 will fail, remove it.
> 
> We should probably actively remove existing dsa host keys in case a
> container template ships them, just to make sure older distro containers
> won't end up all sharing the same DSA key when created on a trixie
> pve...
> 
> In fact, maybe we should remove all files matching
> `/etc/ssh/ssh_host_*` in the setup code, in case there are types we
> missed?

that sounds like a good idea, but should probably be visibly logged.

for legacy distros (which are not the best fit for containers anyway)
it's always possible to generate keys if needed inside the container
afterwards..
 
> > [0] https://www.openssh.com/txt/release-10.0
> > [1] https://www.debian.org/releases/trixie/release-notes/whats-new.en.html
> > 
> > Signed-off-by: Daniel Kral <d.kral@proxmox.com>
> > ---
> > Sending it as a RFC as I'm unsure if there's any other repercussions
> > removing it here. AFAICS it seems this is the only site where we
> > generate DSA signatures.
> > 
> >  src/PVE/LXC/Setup/Base.pm | 1 -
> >  1 file changed, 1 deletion(-)
> > 
> > diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
> > index 6bdfb8d..dbfc775 100644
> > --- a/src/PVE/LXC/Setup/Base.pm
> > +++ b/src/PVE/LXC/Setup/Base.pm
> > @@ -646,7 +646,6 @@ sub ssh_host_key_types_to_generate {
> >  
> >      return {
> >          rsa => 'ssh_host_rsa_key',
> > -        dsa => 'ssh_host_dsa_key',
> >          ecdsa => 'ssh_host_ecdsa_key',
> >          ed25519 => 'ssh_host_ed25519_key',
> >      };
> > -- 
> > 2.39.5


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel