Page MenuHomePhabricator

Deprecate DSA (ssh-dss) SSH keys for Cloud VPS and Toolforge users
Closed, ResolvedPublic

Description

openssh 7.0 has dropped default support for ssh-dss (DSA) keys. Debian Stretch ships with openssh 7.4. This is seen as a security improvement upstream and by the Wikimedia operations team.

Event Timeline

Audit script basics:

import ldap
ldap_conn = ldap.initialize('ldap://ldap-labs.eqiad.wikimedia.org:389')
lc = ldap.controls.libldap.SimplePagedResultsControl(size=10000, cookie='')
while True:
    rtype, rdata, rmsgid, serverctrls = ldap_conn.result3(ldap_conn.search_ext(
        'ou=people,dc=wikimedia,dc=org',
        ldap.SCOPE_ONELEVEL,
        filterstr='(&(objectClass=ldapPublicKey)(sshPublicKey=*))',
        attrlist=['uid', 'sshPublicKey'],
        serverctrls=[lc]
    ))
    for userDN, userAttributes in rdata:
        badkeys = []
        for key in userAttributes['sshPublicKey']:
            if key.startswith('ssh-dss'):
                badkeys.append(key)
        if len(badkeys) > 0:
            print(userAttributes['uid'][0], len(badkeys))
    for control in serverctrls:
        if control.controlType == ldap.controls.SimplePagedResultsControl.controlType:
            lc.cookie = control.cookie
    if not lc.cookie:
        break

Currently 178 users with these

bd808 renamed this task from Deprecate DSA (ssh-dss) SSH keys for Labs users to Deprecate DSA (ssh-dss) SSH keys for Cloud VPS and Toolforge users.Jun 4 2018, 4:43 PM
taavi subscribed.

Boldly closing, given no currently existing VM has support for dss hosts anymore.