From: Daniel Kral <d.kral@proxmox.com>
To: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>,
"Wolfgang Bumiller" <w.bumiller@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation
Date: Fri, 27 Jun 2025 10:20:40 +0200 [thread overview]
Message-ID: <84d9fbef-bcb2-466b-8601-0ebb1d59b005@proxmox.com> (raw)
In-Reply-To: <2091234171.9248.1751000696115@192.168.2.153>
On 6/27/25 07:04, Fabian Grünbichler wrote:
>
>> Wolfgang Bumiller <w.bumiller@proxmox.com> hat am 26.06.2025 13:36 CEST geschrieben:
>>
>>
>> On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote:
>>> OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
>>> is the base version that will be shipped for Debian 13 trixie [1]. Since
>>> it has been marked deprecated for some time and generating DSA
>>> signatures with OpenSSH 10.0 will fail, remove it.
>>
>> We should probably actively remove existing dsa host keys in case a
>> container template ships them, just to make sure older distro containers
>> won't end up all sharing the same DSA key when created on a trixie
>> pve...
>>
>> In fact, maybe we should remove all files matching
>> `/etc/ssh/ssh_host_*` in the setup code, in case there are types we
>> missed?
>
> that sounds like a good idea, but should probably be visibly logged.
>
> for legacy distros (which are not the best fit for containers anyway)
> it's always possible to generate keys if needed inside the container
> afterwards..
So something like
sub remove_existing_ssh_host_keys {
my ($self, $conf) = @_;
my $ssh_dir = "$self->{rootdir}/etc/ssh";
return if !-d $ssh_dir;
my $keyfiles = [];
PVE::Tools::dir_glob_foreach(
$ssh_dir,
qr/ssh_host_.*/,
sub {
my ($key_filename) = @_;
next if $self->ct_is_file_ignored($key_filename);
print "Removing pre-existing ssh host key
'$key_filename' ...\n";
push $keyfiles->@*, $key_filename;
}
);
$self->protected_call(sub {
for my $key_filename ($keyfiles->@*) {
$self->ct_unlink($key_filename);
}
});
}
and calling it in PVE::LXC::Setup::Base::post_create_hook(...), so that
unmanaged containers are not affected by this?
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-06-27 8:20 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-25 9:56 Daniel Kral
2025-06-26 11:36 ` Wolfgang Bumiller
2025-06-27 5:04 ` Fabian Grünbichler
2025-06-27 8:20 ` Daniel Kral [this message]
2025-06-27 8:46 ` Fabian Grünbichler
2025-06-27 8:59 ` Daniel Kral
2025-06-27 9:06 ` Fabian Grünbichler
2025-06-27 9:44 ` Daniel Kral
2025-06-27 10:11 ` Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=84d9fbef-bcb2-466b-8601-0ebb1d59b005@proxmox.com \
--to=d.kral@proxmox.com \
--cc=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox