* [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation @ 2025-06-25 9:56 Daniel Kral 2025-06-26 11:36 ` Wolfgang Bumiller 0 siblings, 1 reply; 9+ messages in thread From: Daniel Kral @ 2025-06-25 9:56 UTC (permalink / raw) To: pve-devel OpenSSH 10.0 removes support for the DSA signature algorithm [0], which is the base version that will be shipped for Debian 13 trixie [1]. Since it has been marked deprecated for some time and generating DSA signatures with OpenSSH 10.0 will fail, remove it. [0] https://www.openssh.com/txt/release-10.0 [1] https://www.debian.org/releases/trixie/release-notes/whats-new.en.html Signed-off-by: Daniel Kral <d.kral@proxmox.com> --- Sending it as a RFC as I'm unsure if there's any other repercussions removing it here. AFAICS it seems this is the only site where we generate DSA signatures. src/PVE/LXC/Setup/Base.pm | 1 - 1 file changed, 1 deletion(-) diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm index 6bdfb8d..dbfc775 100644 --- a/src/PVE/LXC/Setup/Base.pm +++ b/src/PVE/LXC/Setup/Base.pm @@ -646,7 +646,6 @@ sub ssh_host_key_types_to_generate { return { rsa => 'ssh_host_rsa_key', - dsa => 'ssh_host_dsa_key', ecdsa => 'ssh_host_ecdsa_key', ed25519 => 'ssh_host_ed25519_key', }; -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation 2025-06-25 9:56 [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation Daniel Kral @ 2025-06-26 11:36 ` Wolfgang Bumiller 2025-06-27 5:04 ` Fabian Grünbichler 0 siblings, 1 reply; 9+ messages in thread From: Wolfgang Bumiller @ 2025-06-26 11:36 UTC (permalink / raw) To: Daniel Kral; +Cc: pve-devel On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote: > OpenSSH 10.0 removes support for the DSA signature algorithm [0], which > is the base version that will be shipped for Debian 13 trixie [1]. Since > it has been marked deprecated for some time and generating DSA > signatures with OpenSSH 10.0 will fail, remove it. We should probably actively remove existing dsa host keys in case a container template ships them, just to make sure older distro containers won't end up all sharing the same DSA key when created on a trixie pve... In fact, maybe we should remove all files matching `/etc/ssh/ssh_host_*` in the setup code, in case there are types we missed? > > [0] https://www.openssh.com/txt/release-10.0 > [1] https://www.debian.org/releases/trixie/release-notes/whats-new.en.html > > Signed-off-by: Daniel Kral <d.kral@proxmox.com> > --- > Sending it as a RFC as I'm unsure if there's any other repercussions > removing it here. AFAICS it seems this is the only site where we > generate DSA signatures. > > src/PVE/LXC/Setup/Base.pm | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm > index 6bdfb8d..dbfc775 100644 > --- a/src/PVE/LXC/Setup/Base.pm > +++ b/src/PVE/LXC/Setup/Base.pm > @@ -646,7 +646,6 @@ sub ssh_host_key_types_to_generate { > > return { > rsa => 'ssh_host_rsa_key', > - dsa => 'ssh_host_dsa_key', > ecdsa => 'ssh_host_ecdsa_key', > ed25519 => 'ssh_host_ed25519_key', > }; > -- > 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation 2025-06-26 11:36 ` Wolfgang Bumiller @ 2025-06-27 5:04 ` Fabian Grünbichler 2025-06-27 8:20 ` Daniel Kral 0 siblings, 1 reply; 9+ messages in thread From: Fabian Grünbichler @ 2025-06-27 5:04 UTC (permalink / raw) To: Wolfgang Bumiller, Daniel Kral; +Cc: pve-devel > Wolfgang Bumiller <w.bumiller@proxmox.com> hat am 26.06.2025 13:36 CEST geschrieben: > > > On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote: > > OpenSSH 10.0 removes support for the DSA signature algorithm [0], which > > is the base version that will be shipped for Debian 13 trixie [1]. Since > > it has been marked deprecated for some time and generating DSA > > signatures with OpenSSH 10.0 will fail, remove it. > > We should probably actively remove existing dsa host keys in case a > container template ships them, just to make sure older distro containers > won't end up all sharing the same DSA key when created on a trixie > pve... > > In fact, maybe we should remove all files matching > `/etc/ssh/ssh_host_*` in the setup code, in case there are types we > missed? that sounds like a good idea, but should probably be visibly logged. for legacy distros (which are not the best fit for containers anyway) it's always possible to generate keys if needed inside the container afterwards.. > > [0] https://www.openssh.com/txt/release-10.0 > > [1] https://www.debian.org/releases/trixie/release-notes/whats-new.en.html > > > > Signed-off-by: Daniel Kral <d.kral@proxmox.com> > > --- > > Sending it as a RFC as I'm unsure if there's any other repercussions > > removing it here. AFAICS it seems this is the only site where we > > generate DSA signatures. > > > > src/PVE/LXC/Setup/Base.pm | 1 - > > 1 file changed, 1 deletion(-) > > > > diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm > > index 6bdfb8d..dbfc775 100644 > > --- a/src/PVE/LXC/Setup/Base.pm > > +++ b/src/PVE/LXC/Setup/Base.pm > > @@ -646,7 +646,6 @@ sub ssh_host_key_types_to_generate { > > > > return { > > rsa => 'ssh_host_rsa_key', > > - dsa => 'ssh_host_dsa_key', > > ecdsa => 'ssh_host_ecdsa_key', > > ed25519 => 'ssh_host_ed25519_key', > > }; > > -- > > 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation 2025-06-27 5:04 ` Fabian Grünbichler @ 2025-06-27 8:20 ` Daniel Kral 2025-06-27 8:46 ` Fabian Grünbichler 0 siblings, 1 reply; 9+ messages in thread From: Daniel Kral @ 2025-06-27 8:20 UTC (permalink / raw) To: Fabian Grünbichler, Wolfgang Bumiller; +Cc: pve-devel On 6/27/25 07:04, Fabian Grünbichler wrote: > >> Wolfgang Bumiller <w.bumiller@proxmox.com> hat am 26.06.2025 13:36 CEST geschrieben: >> >> >> On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote: >>> OpenSSH 10.0 removes support for the DSA signature algorithm [0], which >>> is the base version that will be shipped for Debian 13 trixie [1]. Since >>> it has been marked deprecated for some time and generating DSA >>> signatures with OpenSSH 10.0 will fail, remove it. >> >> We should probably actively remove existing dsa host keys in case a >> container template ships them, just to make sure older distro containers >> won't end up all sharing the same DSA key when created on a trixie >> pve... >> >> In fact, maybe we should remove all files matching >> `/etc/ssh/ssh_host_*` in the setup code, in case there are types we >> missed? > > that sounds like a good idea, but should probably be visibly logged. > > for legacy distros (which are not the best fit for containers anyway) > it's always possible to generate keys if needed inside the container > afterwards.. So something like sub remove_existing_ssh_host_keys { my ($self, $conf) = @_; my $ssh_dir = "$self->{rootdir}/etc/ssh"; return if !-d $ssh_dir; my $keyfiles = []; PVE::Tools::dir_glob_foreach( $ssh_dir, qr/ssh_host_.*/, sub { my ($key_filename) = @_; next if $self->ct_is_file_ignored($key_filename); print "Removing pre-existing ssh host key '$key_filename' ...\n"; push $keyfiles->@*, $key_filename; } ); $self->protected_call(sub { for my $key_filename ($keyfiles->@*) { $self->ct_unlink($key_filename); } }); } and calling it in PVE::LXC::Setup::Base::post_create_hook(...), so that unmanaged containers are not affected by this? _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation 2025-06-27 8:20 ` Daniel Kral @ 2025-06-27 8:46 ` Fabian Grünbichler 2025-06-27 8:59 ` Daniel Kral 2025-06-27 9:44 ` Daniel Kral 0 siblings, 2 replies; 9+ messages in thread From: Fabian Grünbichler @ 2025-06-27 8:46 UTC (permalink / raw) To: Daniel Kral, Wolfgang Bumiller; +Cc: pve-devel > Daniel Kral <d.kral@proxmox.com> hat am 27.06.2025 10:20 CEST geschrieben: > > > On 6/27/25 07:04, Fabian Grünbichler wrote: > > > >> Wolfgang Bumiller <w.bumiller@proxmox.com> hat am 26.06.2025 13:36 CEST geschrieben: > >> > >> > >> On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote: > >>> OpenSSH 10.0 removes support for the DSA signature algorithm [0], which > >>> is the base version that will be shipped for Debian 13 trixie [1]. Since > >>> it has been marked deprecated for some time and generating DSA > >>> signatures with OpenSSH 10.0 will fail, remove it. > >> > >> We should probably actively remove existing dsa host keys in case a > >> container template ships them, just to make sure older distro containers > >> won't end up all sharing the same DSA key when created on a trixie > >> pve... > >> > >> In fact, maybe we should remove all files matching > >> `/etc/ssh/ssh_host_*` in the setup code, in case there are types we > >> missed? > > > > that sounds like a good idea, but should probably be visibly logged. > > > > for legacy distros (which are not the best fit for containers anyway) > > it's always possible to generate keys if needed inside the container > > afterwards.. > > So something like > > sub remove_existing_ssh_host_keys { > my ($self, $conf) = @_; > > my $ssh_dir = "$self->{rootdir}/etc/ssh"; > > return if !-d $ssh_dir; > > my $keyfiles = []; > PVE::Tools::dir_glob_foreach( > $ssh_dir, > qr/ssh_host_.*/, > sub { > my ($key_filename) = @_; > > next if $self->ct_is_file_ignored($key_filename); > > print "Removing pre-existing ssh host key > '$key_filename' ...\n"; > > push $keyfiles->@*, $key_filename; > } > ); > > $self->protected_call(sub { > for my $key_filename ($keyfiles->@*) { > $self->ct_unlink($key_filename); > } > }); > } > > and calling it in PVE::LXC::Setup::Base::post_create_hook(...), so that > unmanaged containers are not affected by this? we already have PVE::LXC::Setup::rewrite_ssh_host_keys which AFAICT is called unconditionally in Setup::post_create_hook even for unmanaged containers, given that precedent I think we can just extend that.. while we are at it we could add .ignore support if we really want to have an option of skipping deletion and regeneration.. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation 2025-06-27 8:46 ` Fabian Grünbichler @ 2025-06-27 8:59 ` Daniel Kral 2025-06-27 9:06 ` Fabian Grünbichler 2025-06-27 9:44 ` Daniel Kral 1 sibling, 1 reply; 9+ messages in thread From: Daniel Kral @ 2025-06-27 8:59 UTC (permalink / raw) To: Fabian Grünbichler, Wolfgang Bumiller; +Cc: pve-devel On 6/27/25 10:46, Fabian Grünbichler wrote: > >> Daniel Kral <d.kral@proxmox.com> hat am 27.06.2025 10:20 CEST geschrieben: >> >> >> On 6/27/25 07:04, Fabian Grünbichler wrote: >>> >>>> Wolfgang Bumiller <w.bumiller@proxmox.com> hat am 26.06.2025 13:36 CEST geschrieben: >>>> >>>> >>>> On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote: >>>>> OpenSSH 10.0 removes support for the DSA signature algorithm [0], which >>>>> is the base version that will be shipped for Debian 13 trixie [1]. Since >>>>> it has been marked deprecated for some time and generating DSA >>>>> signatures with OpenSSH 10.0 will fail, remove it. >>>> >>>> We should probably actively remove existing dsa host keys in case a >>>> container template ships them, just to make sure older distro containers >>>> won't end up all sharing the same DSA key when created on a trixie >>>> pve... >>>> >>>> In fact, maybe we should remove all files matching >>>> `/etc/ssh/ssh_host_*` in the setup code, in case there are types we >>>> missed? >>> >>> that sounds like a good idea, but should probably be visibly logged. >>> >>> for legacy distros (which are not the best fit for containers anyway) >>> it's always possible to generate keys if needed inside the container >>> afterwards.. >> >> So something like >> >> sub remove_existing_ssh_host_keys { >> my ($self, $conf) = @_; >> >> my $ssh_dir = "$self->{rootdir}/etc/ssh"; >> >> return if !-d $ssh_dir; >> >> my $keyfiles = []; >> PVE::Tools::dir_glob_foreach( >> $ssh_dir, >> qr/ssh_host_.*/, >> sub { >> my ($key_filename) = @_; >> >> next if $self->ct_is_file_ignored($key_filename); >> >> print "Removing pre-existing ssh host key >> '$key_filename' ...\n"; >> >> push $keyfiles->@*, $key_filename; >> } >> ); >> >> $self->protected_call(sub { >> for my $key_filename ($keyfiles->@*) { >> $self->ct_unlink($key_filename); >> } >> }); >> } >> >> and calling it in PVE::LXC::Setup::Base::post_create_hook(...), so that >> unmanaged containers are not affected by this? > > we already have PVE::LXC::Setup::rewrite_ssh_host_keys which AFAICT is > called unconditionally in Setup::post_create_hook even for unmanaged > containers, given that precedent I think we can just extend that.. Right, then I'll extend that one instead. > > while we are at it we could add .ignore support if we really want to > have an option of skipping deletion and regeneration.. I added the check ct_is_file_ignored($key_filename) because ct_unlink($key_filename) later checks against that and then the log message would be wrong, right? Or should the later rewrite_ssh_host_keys part also acknowledge ct_is_file_ignored(...)? _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation 2025-06-27 8:59 ` Daniel Kral @ 2025-06-27 9:06 ` Fabian Grünbichler 0 siblings, 0 replies; 9+ messages in thread From: Fabian Grünbichler @ 2025-06-27 9:06 UTC (permalink / raw) To: Daniel Kral, Wolfgang Bumiller; +Cc: pve-devel > Daniel Kral <d.kral@proxmox.com> hat am 27.06.2025 10:59 CEST geschrieben: > > > On 6/27/25 10:46, Fabian Grünbichler wrote: > > > >> Daniel Kral <d.kral@proxmox.com> hat am 27.06.2025 10:20 CEST geschrieben: > >> > >> > >> On 6/27/25 07:04, Fabian Grünbichler wrote: > >>> > >>>> Wolfgang Bumiller <w.bumiller@proxmox.com> hat am 26.06.2025 13:36 CEST geschrieben: > >>>> > >>>> > >>>> On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote: > >>>>> OpenSSH 10.0 removes support for the DSA signature algorithm [0], which > >>>>> is the base version that will be shipped for Debian 13 trixie [1]. Since > >>>>> it has been marked deprecated for some time and generating DSA > >>>>> signatures with OpenSSH 10.0 will fail, remove it. > >>>> > >>>> We should probably actively remove existing dsa host keys in case a > >>>> container template ships them, just to make sure older distro containers > >>>> won't end up all sharing the same DSA key when created on a trixie > >>>> pve... > >>>> > >>>> In fact, maybe we should remove all files matching > >>>> `/etc/ssh/ssh_host_*` in the setup code, in case there are types we > >>>> missed? > >>> > >>> that sounds like a good idea, but should probably be visibly logged. > >>> > >>> for legacy distros (which are not the best fit for containers anyway) > >>> it's always possible to generate keys if needed inside the container > >>> afterwards.. > >> > >> So something like > >> > >> sub remove_existing_ssh_host_keys { > >> my ($self, $conf) = @_; > >> > >> my $ssh_dir = "$self->{rootdir}/etc/ssh"; > >> > >> return if !-d $ssh_dir; > >> > >> my $keyfiles = []; > >> PVE::Tools::dir_glob_foreach( > >> $ssh_dir, > >> qr/ssh_host_.*/, > >> sub { > >> my ($key_filename) = @_; > >> > >> next if $self->ct_is_file_ignored($key_filename); > >> > >> print "Removing pre-existing ssh host key > >> '$key_filename' ...\n"; > >> > >> push $keyfiles->@*, $key_filename; > >> } > >> ); > >> > >> $self->protected_call(sub { > >> for my $key_filename ($keyfiles->@*) { > >> $self->ct_unlink($key_filename); > >> } > >> }); > >> } > >> > >> and calling it in PVE::LXC::Setup::Base::post_create_hook(...), so that > >> unmanaged containers are not affected by this? > > > > we already have PVE::LXC::Setup::rewrite_ssh_host_keys which AFAICT is > > called unconditionally in Setup::post_create_hook even for unmanaged > > containers, given that precedent I think we can just extend that.. > > Right, then I'll extend that one instead. > > > > > while we are at it we could add .ignore support if we really want to > > have an option of skipping deletion and regeneration.. > > I added the check ct_is_file_ignored($key_filename) because > ct_unlink($key_filename) later checks against that and then the log > message would be wrong, right? Or should the later rewrite_ssh_host_keys > part also acknowledge ct_is_file_ignored(...)? yes, if we ignore something then the file should be neither deleted nor rewritten, IMHO. it should probably be logged that it is left untouched though ;) _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation 2025-06-27 8:46 ` Fabian Grünbichler 2025-06-27 8:59 ` Daniel Kral @ 2025-06-27 9:44 ` Daniel Kral 2025-06-27 10:11 ` Fabian Grünbichler 1 sibling, 1 reply; 9+ messages in thread From: Daniel Kral @ 2025-06-27 9:44 UTC (permalink / raw) To: Fabian Grünbichler, Wolfgang Bumiller; +Cc: pve-devel On 6/27/25 10:46, Fabian Grünbichler wrote: > we already have PVE::LXC::Setup::rewrite_ssh_host_keys which AFAICT is > called unconditionally in Setup::post_create_hook even for unmanaged > containers, given that precedent I think we can just extend that.. Oh wait, just was reminded that rewrite_ssh_host_keys is unconditionally called in Setup::post_create_hook, but ssh_host_key_types_to_generate is overwritten in Setup::Unmanaged to return empty, i.e. do not rewrite any ssh host keys. Should we still extend it here or keep it in Setup::Base::post_create_hook(...)? Else I send a tested patch with those changes afterwards :) _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation 2025-06-27 9:44 ` Daniel Kral @ 2025-06-27 10:11 ` Fabian Grünbichler 0 siblings, 0 replies; 9+ messages in thread From: Fabian Grünbichler @ 2025-06-27 10:11 UTC (permalink / raw) To: Daniel Kral, Wolfgang Bumiller; +Cc: pve-devel > Daniel Kral <d.kral@proxmox.com> hat am 27.06.2025 11:44 CEST geschrieben: > > > On 6/27/25 10:46, Fabian Grünbichler wrote: > > we already have PVE::LXC::Setup::rewrite_ssh_host_keys which AFAICT is > > called unconditionally in Setup::post_create_hook even for unmanaged > > containers, given that precedent I think we can just extend that.. > > Oh wait, just was reminded that rewrite_ssh_host_keys is unconditionally > called in Setup::post_create_hook, but ssh_host_key_types_to_generate is > overwritten in Setup::Unmanaged to return empty, i.e. do not rewrite any > ssh host keys. > > Should we still extend it here or keep it in > Setup::Base::post_create_hook(...)? Else I send a tested patch with > those changes afterwards :) in that case both would be fine, and rewriting and deletion should both be skipped for unmanaged. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2025-06-27 10:11 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2025-06-25 9:56 [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation Daniel Kral 2025-06-26 11:36 ` Wolfgang Bumiller 2025-06-27 5:04 ` Fabian Grünbichler 2025-06-27 8:20 ` Daniel Kral 2025-06-27 8:46 ` Fabian Grünbichler 2025-06-27 8:59 ` Daniel Kral 2025-06-27 9:06 ` Fabian Grünbichler 2025-06-27 9:44 ` Daniel Kral 2025-06-27 10:11 ` Fabian Grünbichler
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox