Deprecate DSA/DSS support

Question

Deprecate DSA/DSS support

Closed this issue 6 months ago · 5 comments

Is there any plan to deprecate and eventually remove insecure DSA/DSS support? OpenSSH has disabled DSA since 2015 and will eventually remove it in the next few years.

Answer 1 · 2024-03-30T11:36:47.000Z

It should already be compiled out by default?

Answer 2 · 2024-03-30T16:05:01.000Z

Tested on dropbear version v2022.83 on Alpine Linux 3.19 and only kex algo got rid of DSS. Host key algo still contains ssh-dss if the host key file /etc/dropbear/dropbear_dss_host_key exists (which Alpine init.d script conveniently generates if missing).

Should it be removed more thoroughly?

Results running nmap --script ssh2-enum-algos -sV -p 22 [target host]

PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd 2022.83 (protocol 2.0)
| ssh2-enum-algos: 
|   kex_algorithms: (9)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp521
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp256
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       kexguess2@matt.ucc.asn.au
|       kex-strict-s-v00@openssh.com
|   server_host_key_algorithms: (5)
|       ssh-ed25519
|       ecdsa-sha2-nistp256
|       rsa-sha2-256
|       ssh-rsa
|       ssh-dss
|   encryption_algorithms: (3)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes256-ctr
|   mac_algorithms: (2)
|       hmac-sha1
|       hmac-sha2-256
|   compression_algorithms: (2)
|       zlib@openssh.com
|_      none
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Answer 3 · 2024-03-31T02:35:49.000Z

The fix hasn't made it to a release yet.
c043efb

Answer 4 · 2024-03-31T07:11:19.000Z

Sorry my bad, didn't notice that. OTOH are we expecting a release anytime soon? Latest release is more than a year old.

Answer 5 · 2024-03-31T07:27:42.000Z

Yeah, just have a few PRs that I want to get merged first.