Latest version of openssh (9.9p2) disabled support for dsa at compile time causing ssh-keygen to fail #426
Description
🗣️ Foreword
Thank for taking the time to fill this bug report fully. Without it we may not be able to fix the bug, and the issue may be closed without resolution.
👻 Brief Description
The latest version of openssh 9.9p2 released 2025-02-18 disabled support for DSA keys at compile time some distros have started back porting changes to disable rsa keys. This was previously communicated by the openssh team in in other release notes.
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025. This release disables DSA by default at compile time.
DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.
OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs, mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.
This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA
in OpenSSH to be justified and hope that removing it from OpenSSH
can accelerate its wider deprecation in supporting cryptography
libraries.
Currently DSA is disabled at compile time. The final step of
removing DSA support entirely is planned for the first OpenSSH
release of 2025.
DSA support may be re-enabled on OpenBSD by setting "DSAKEY=yes"
in Makefile.inc. To enable DSA support in portable OpenSSH, pass
the "--enable-dsa-keys" option to configure.
With dsa disabled at compile time the command to generate the ssh dsa key fails.
kitchen-docker/test/Dockerfile
Line 5 in 057465d
Version
Master
Environment
Any operating system that has openssh 9.9p2 or newer or backports changes do disable dsa such as Fedora 41
Scenario
Run kitchen-docker on newer operating systems like fedora 41 or rawhite
Steps to Reproduce
any user of kitchen-docker on an OS with openssh 9.9p2 or newer such as Fedora 41
An example of this can be seen in this CI job https://gitlab.com/saltstack-formulas/template-formula/-/jobs/9251719358
Expected Result
not error out trying to create a dsa key with unknown key type dsa
Actual Result
errors out on docker file command to create DSA key causing the tests to fail
------
> [ 3/16] RUN [ -f "/etc/ssh/ssh_host_dsa_key" ] || ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '':
0.180 + '[' -f /etc/ssh/ssh_host_dsa_key ']'
0.180 + ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
0.184 unknown key type dsa
------
Dockerfile:5
--------------------
3 | ENV container docker
4 | RUN [ -f "/etc/ssh/ssh_host_rsa_key" ] || ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
5 | >>> RUN [ -f "/etc/ssh/ssh_host_dsa_key" ] || ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
6 |
7 | RUN if ! getent passwd kitchen; then useradd -d /home/kitchen -m -s /bin/bash -p '*' kitchen; fi
--------------------
ERROR: failed to solve: process "/bin/bash -x -o pipefail -c [ -f \"/etc/ssh/ssh_host_dsa_key\" ] || ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''" did not complete successfully: exit code: 255
➕ Additional context
This should be a simple change by deleting all lines referencing dsa in these two files.