From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id C59381FF15C for ; Fri, 27 Jun 2025 07:04:56 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B684FC9A7; Fri, 27 Jun 2025 07:05:30 +0200 (CEST) Date: Fri, 27 Jun 2025 07:04:56 +0200 (CEST) From: =?UTF-8?Q?Fabian_Gr=C3=BCnbichler?= To: Wolfgang Bumiller , Daniel Kral Message-ID: <2091234171.9248.1751000696115@192.168.2.153> In-Reply-To: <36vrlauguwm7hnyjc3gybfea4tuqiymodmfkycmhydyo3bfweq@wsuqmlnmuhjc> References: <20250625095631.85466-1-d.kral@proxmox.com> <36vrlauguwm7hnyjc3gybfea4tuqiymodmfkycmhydyo3bfweq@wsuqmlnmuhjc> MIME-Version: 1.0 X-Priority: 3 Importance: Normal X-Mailer: Open-Xchange Mailer v7.10.6-Rev78 X-Originating-Client: open-xchange-appsuite X-SPAM-LEVEL: Spam detection results: 0 AWL 0.044 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: pve-devel@lists.proxmox.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" > Wolfgang Bumiller hat am 26.06.2025 13:36 CEST geschrieben: > > > On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote: > > OpenSSH 10.0 removes support for the DSA signature algorithm [0], which > > is the base version that will be shipped for Debian 13 trixie [1]. Since > > it has been marked deprecated for some time and generating DSA > > signatures with OpenSSH 10.0 will fail, remove it. > > We should probably actively remove existing dsa host keys in case a > container template ships them, just to make sure older distro containers > won't end up all sharing the same DSA key when created on a trixie > pve... > > In fact, maybe we should remove all files matching > `/etc/ssh/ssh_host_*` in the setup code, in case there are types we > missed? that sounds like a good idea, but should probably be visibly logged. for legacy distros (which are not the best fit for containers anyway) it's always possible to generate keys if needed inside the container afterwards.. > > [0] https://www.openssh.com/txt/release-10.0 > > [1] https://www.debian.org/releases/trixie/release-notes/whats-new.en.html > > > > Signed-off-by: Daniel Kral > > --- > > Sending it as a RFC as I'm unsure if there's any other repercussions > > removing it here. AFAICS it seems this is the only site where we > > generate DSA signatures. > > > > src/PVE/LXC/Setup/Base.pm | 1 - > > 1 file changed, 1 deletion(-) > > > > diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm > > index 6bdfb8d..dbfc775 100644 > > --- a/src/PVE/LXC/Setup/Base.pm > > +++ b/src/PVE/LXC/Setup/Base.pm > > @@ -646,7 +646,6 @@ sub ssh_host_key_types_to_generate { > > > > return { > > rsa => 'ssh_host_rsa_key', > > - dsa => 'ssh_host_dsa_key', > > ecdsa => 'ssh_host_ecdsa_key', > > ed25519 => 'ssh_host_ed25519_key', > > }; > > -- > > 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel