Page MenuHomePhabricator

Deprecate DSA (ssh-dss) SSH keys for Cloud VPS and Toolforge users
Closed, ResolvedPublic


openssh 7.0 has dropped default support for ssh-dss (DSA) keys. Debian Stretch ships with openssh 7.4. This is seen as a security improvement upstream and by the Wikimedia operations team.

Event Timeline

Audit script basics:

import ldap
ldap_conn = ldap.initialize('ldap://')
lc = ldap.controls.libldap.SimplePagedResultsControl(size=10000, cookie='')
while True:
    rtype, rdata, rmsgid, serverctrls = ldap_conn.result3(ldap_conn.search_ext(
        attrlist=['uid', 'sshPublicKey'],
    for userDN, userAttributes in rdata:
        badkeys = []
        for key in userAttributes['sshPublicKey']:
            if key.startswith('ssh-dss'):
        if len(badkeys) > 0:
            print(userAttributes['uid'][0], len(badkeys))
    for control in serverctrls:
        if control.controlType == ldap.controls.SimplePagedResultsControl.controlType:
            lc.cookie = control.cookie
    if not lc.cookie:

Currently 178 users with these

bd808 renamed this task from Deprecate DSA (ssh-dss) SSH keys for Labs users to Deprecate DSA (ssh-dss) SSH keys for Cloud VPS and Toolforge users.Jun 4 2018, 4:43 PM
Majavah added a subscriber: Majavah.

Boldly closing, given no currently existing VM has support for dss hosts anymore.