Deprecate DSA/DSS support
Closed this issue · 5 comments
Is there any plan to deprecate and eventually remove insecure DSA/DSS support? OpenSSH has disabled DSA since 2015 and will eventually remove it in the next few years.
It should already be compiled out by default?
Tested on dropbear version v2022.83 on Alpine Linux 3.19 and only kex algo got rid of DSS. Host key algo still contains ssh-dss
if the host key file /etc/dropbear/dropbear_dss_host_key
exists (which Alpine init.d script conveniently generates if missing).
Should it be removed more thoroughly?
Results running nmap --script ssh2-enum-algos -sV -p 22 [target host]
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 2022.83 (protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp521
| ecdh-sha2-nistp384
| ecdh-sha2-nistp256
| diffie-hellman-group14-sha256
| diffie-hellman-group14-sha1
| kexguess2@matt.ucc.asn.au
| kex-strict-s-v00@openssh.com
| server_host_key_algorithms: (5)
| ssh-ed25519
| ecdsa-sha2-nistp256
| rsa-sha2-256
| ssh-rsa
| ssh-dss
| encryption_algorithms: (3)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes256-ctr
| mac_algorithms: (2)
| hmac-sha1
| hmac-sha2-256
| compression_algorithms: (2)
| zlib@openssh.com
|_ none
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Sorry my bad, didn't notice that. OTOH are we expecting a release anytime soon? Latest release is more than a year old.
Yeah, just have a few PRs that I want to get merged first.