Page MenuHomePhabricator
Create Task
Maniphest T253824

planned upstream deprecation of the ssh-rsa signing algorithm (RSA with SHA-1)
Open, MediumPublic
Actions

Description

Summary:

  • Before the OpenSSH release that ships the deprecation, we need to upgrade every prod host and network device to at least OpenSSH [7.2p1, 7.4p1) or to >=7.5p1, or backport a single patch to 7.4p1.
    • 7.4p1 -- the version in Stretch -- is itself buggy in a way that affects the deprecation, fixed in this patch released in 7.5p1
    • Unless that patch (or a release 7.5p1 or later) is backported to Stretch, I am pretty confident that post-deprecation clients will not be able to negotiate RSA host keys or user public keys with Stretch servers.
    • Post-deprecation clients will not be able to negotiate RSA host keys or user public keys with Jessie servers.
  • Just in case there's any confusion about the nomenclature here, we do not need to stop accepting ssh-rsa public keys; it's only the authentication algorithm being deprecated (see below).

Upstream announcement: https://www.openssh.com/txt/release-8.3

It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm by default in a near-future release.

NB that this isn't a deprecation of RSA, or of ssh-rsa keypairs themselves -- only of the over-the-wire verification algorithm of "RSA coupled with SHA-1", which confusingly is also named ssh-rsa.

Helpfully, RFC8332 provides two other verification algorithms that use the exact same keys, including using identical public/private keyfiles, including ssh-rsa as a prefix of the public keys. Those algorithms are rsa-sha2-256 and rsa-sha2-512 and they are exactly what they sound like. As of OpenSSH 7.2p1, they are implemented and automatically used when available.

Somewhat confusingly, it isn't until this patch lands in 7.9p1 in which those names become meaningful for anything except the HostKeyAlgorithms, despite the fact that they should be meaningful for HostbasedKeyTypes and PubkeyAcceptedKeyTypes.

In versions from 7.2p1 until 7.9p1, they're simply an extra part of the key exchange added in a protocol extension that is transparent to older clients and servers -- but pre-7.9p1, it's not possible to write a configuration file asking to deny the older RSA-SHA1 verification, which isn't a huge deal but is worth noting.

What is a problem is that 7.4p1 (in Stretch) had a bug introduced in it where sshd does not enumerate rsa-sha2-256 or rsa-sha2-512 as possible signature algorithms in the server-sig-algs extension to key exchanges. The bug was introduced by this innocuous-looking cleanup patch. The fix landed in 7.5p1.

It's possible to demonstrate this via the following. On a Buster or other modern host, and using an RSA pubkey for yourself, disable ssh-rsa and attempt to authenticate to a Stretch host:

% ssh bast1002.wikimedia.org                             
Linux bast1002 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64
^D
% ssh -o PubkeyAcceptedKeyTypes=-ssh-rsa bast1002.wikimedia.org
Password: ^C
% ssh -o PubkeyAcceptedKeyTypes=-ssh-rsa -vvv bast1002.wikimedia.org |& grep server-sig-alg
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
^C
% ssh -o PubkeyAcceptedKeyTypes=-ssh-rsa -vvv localhost |& grep server-sig-alg             
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>

You can also inspect the signature algorithm being selected:

% ssh -vvv bast1002.wikimedia.org |& grep sign_and_send_pubkey
debug3: sign_and_send_pubkey: RSA SHA256:I9DIoOoVwPiPODdlJiLGWQTN5+MC9oWbiYkkKQbg2q4
debug3: sign_and_send_pubkey: signing using ssh-rsa
% ssh -vvv localhost |& grep sign_and_send_pubkey
debug3: sign_and_send_pubkey: RSA SHA256:I9DIoOoVwPiPODdlJiLGWQTN5+MC9oWbiYkkKQbg2q4
debug3: sign_and_send_pubkey: signing using rsa-sha2-512

It's probably worth verifying all this with OpenSSH upstream, and then asking them to clarify their release notes, as I don't believe 7.4p1 servers will be compatible with post-deprecation clients -- but they presently state that 7.2p1 or later is all that is necessary to be compatible on either end.

I'm not sure if Debian themselves would want to patch their 1:7.4p1-10+deb9u7 of openssh-server, even though Stretch is oldstable, but it might be a good idea as well.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT253824 planned upstream deprecation of the ssh-rsa signing algorithm (RSA with SHA-1)
 ResolvedayounsiT254013 all network devices must run OpenSSH >= 7.2p1 but != 7.4p1
 OpenNoneT316539 Upgrade network devices to Junos 20+
 ResolvedayounsiT316532 Upgrade POPs asw to Junos 21
 ResolvedayounsiT323094 asw1-eqsin: VC mastership change
 ResolvedNoneT295690 Upgrade core routers to Junos 21+
 ResolvedPapaulT316529 Upgrade management routers and switches to Junos 21
 ResolvedPapaulT295691 Upgrade pfw to Junos 20+
 ResolvedPapaulT316542 Upgrade fasw to Junos 21
 OpencmooneyT316544 Upgrade cloudsw1-c8-eqiad and cloudsw1-d5-eqiad to Junos 20+
 OpendcaroT297083 [ceph] Getting rack level HA
 ResolvedRequest CmjohnsonT303058 hw troubleshooting: move cloudcephmon1003.eqiad.wmnet from rack B2 to rack C8
 Resolved CmjohnsonT304096 move cloudcephmon1002.eqiad.wmnet from rack B4 to rack D5
 Resolved nskaggsT329498 [ceph] Move cloudcephosd1001 (b7) and cloudcephosd1002 (b4) to rack e4
ResolvedBUG REPORTdcaroT329535 Cloud Ceph outage 2023-02-13
 In ProgressdcaroT329709 [cookbooks.ceph] Add a cookbook to drain a ceph osd in a safe manner
 ResolveddcaroT329711 [ceph] Add monitoring for inter-osd/mon/cloudvirt connectivity
 OpendcaroT329778 [ceph] Investigate if there's a way to degrade instead of failing when jumbo frames are being dropped in the network
 ResolvedcmooneyT329799 Add network-layer protections to avoid inadvertently lowering IRB MTU
 Resolved nskaggsT329502 [ceph] Move cloudcephosd1003 (b2) to rack e4 and cloudcephosd1004 (c8) to rack f4
Resolved nskaggsT329504 [ceph] Move cloudcephosd1005 (c8) and cloudcephosd1010 (d5) to rack f4
ResolveddcaroT329507 [ceph] Test crush tree with rack level HA on codfw
 ResolvedRequestPapaulT330754 hw troubleshooting: Link hard down (probably cable) for cloudcephosd2002-dev.codfw.wmnet
 ResolveddcaroT331141 Change crushmap in eqiad to have rack HA
 ResolveddcaroT331145 [cookbooks] adapt to having an extra level of buckets in the crushmap
 OpenNoneT330733 Move coludcephmon1001 from B7 to rack F4
 OpendcaroT331636 [cookbooks.ceph] create a script to get the list of rbd images affected by stuck/inactive PGs
 OpenNoneT336845 puppet: profile::auto_restarts::service: have a way to don't deploy the systemd timers
 ResolvedayounsiT327248 eqiad/codfw virtual-chassis upgrades
 ResolvedayounsiT327925 codfw row A switches upgrade
 Resolved MarosteguiT327997 Switchover s1 master (db2103 -> db2112)
 Resolved MarosteguiT327998 Switchover s2 master (db2104 -> db2107)
 Resolved MarosteguiT327999 Switchover s3 master (db2105 -> db2127)
 Resolved MarosteguiT328000 Switchover s7 master (db2121 -> db2118)
 Resolved MarosteguiT328001 Switchover x2 master (db2142 -> db2144)
 ResolvedayounsiT327991 codfw row B switches upgrade
 Resolved MarosteguiT328022 Switchover s4 master (db2110 -> db2140)
 Resolved MarosteguiT328023 Switchover s5 master (db2123 -> db2113)
 Resolved MarosteguiT328024 Switchover s8 master (db2161 -> db2165)
 ResolvedcmooneyT329073 eqiad row A switches upgrade
 Resolved MarosteguiT329141 Switchover m3 master db1164 -> db1159
 Resolved MarosteguiT329143 Move db1164 to m1
 Resolved MarosteguiT329259 Switchover m1 master (db1176 -> db1164)
 Resolved MarosteguiT331382 Move db1101 to m3 and make it master
 Resolved MarosteguiT331384 Switchover m3 master db1159 -> db1101
 Resolved MarosteguiT331387 Switchover m3 master db1101 -> db1159
 Resolved MarosteguiT331626 Mailman hasn't delivered emails since 2023-03-07 14 UTC (was: reviewer-bot is not working)
 ResolvedayounsiT330165 eqiad row B switches upgrade
 Invalid MarosteguiT330977 Move db1183 to m1
 Resolved MarosteguiT331510 Switchover m1 master (db1164 -> db1101)
 Resolved MarosteguiT331511 Move db1101 to m1
 Resolved MarosteguiT330847 Switchover m5 master (db1183 -> db1176)
 ResolvedayounsiT331882 eqiad row C switches upgrade
 ResolvedLadsgroupT333123 Switchover m1 master (db1101 -> db1164)
 ResolvedherronT333478 failover alert1001 to alert2001
 ResolvedherronT333837 failover alert2001 to alert1001
 DeclinedherronT333838 alerting_host: Reduced availability for job icinga-am after failover event
 OpenherronT333855 vopsbot needed manual restart after alerting hosts failover
 ResolvedcmooneyT333377 eqiad row D switches upgrade
 ResolvedayounsiT334049 codfw row C switches upgrade
 ResolvedayounsiT335042 codfw row D switches upgrade

Event Timeline

CDanis created this task.May 28 2020, 4:28 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 28 2020, 4:28 AM
CDanis updated the task description. (Show Details)May 28 2020, 4:35 AM
CDanis updated the task description. (Show Details)May 28 2020, 4:38 AM
Kormat subscribed.May 28 2020, 12:23 PM
MoritzMuehlenhoff added a comment.May 29 2020, 1:35 PM

Nice writeup! I'll have a more in depth look and see what I can do to potentially fix this for the OpenSSH package in next/last Stretch point release.

We already had https://packages.qa.debian.org/o/openssh/news/20190811T133249Z.html before, so this might be a realistic option.

CDanis added a comment.May 29 2020, 1:52 PM

Great, thanks!

I haven't checked how easily 183ba55 would apply against 7.4p1, but I suspect it would either apply cleanly or not be much trouble to fix.

CDanis triaged this task as Medium priority.May 29 2020, 2:05 PM
CDanis mentioned this in T254013: all network devices must run OpenSSH >= 7.2p1 but != 7.4p1.May 29 2020, 2:26 PM
MoritzMuehlenhoff added a project: User-MoritzMuehlenhoff.May 29 2020, 3:30 PM
CDanis added a comment.May 29 2020, 4:00 PM

I contacted OpenSSH upstream:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2020-May/038533.html

ayounsi changed the status of subtask T254013: all network devices must run OpenSSH >= 7.2p1 but != 7.4p1 from Open to Stalled.May 29 2020, 4:56 PM
CDanis mentioned this in T167966: Look into feasibility of disabling sha-1 host keys on our ssh daemons.May 29 2020, 5:34 PM
Krenair subscribed.May 29 2020, 7:30 PM
MoritzMuehlenhoff added a comment.Jun 4 2020, 3:47 PM

I've backported the patch to the version in stretch and deployed a test package on cp2009, which seems to work well. I'll do a few more tests and will file a bug for potential inclusion into the forthcoming next point release next.

With the current OpenSSH in stretch: (which presents server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>)

jmm@soju:~$ ssh -o PubkeyAcceptedKeyTypes=-ssh-rsa -vvv cp2009.codfw.wmnet |& grep server-sig-algs
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
Password:

With the backported package: (which presents server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,null>)

jmm@soju:~$ ssh -o PubkeyAcceptedKeyTypes=-ssh-rsa cp2009.codfw.wmnet
Linux cp2009 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64
Debian GNU/Linux 9.12 (stretch)
cp2009 is a Unpuppetised system for testing (test)
The last Puppet run was at Thu Jun  4 14:51:23 UTC 2020 (26 minutes ago).
Last puppet commit: (b9ec8f55b8) Alexandros Kosiaris - ganeti: ganeti[12]0{09..24}.eqiad|codfw.wmnet to hieradata
Debian GNU/Linux 9 auto-installed on Tue May 7 15:16:38 UTC 2019.
Last login: Thu Jun  4 15:08:49 2020 from 2620:0:860:2:208:80:153:54
jmm@cp2009:~$
MoritzMuehlenhoff added a comment.Jun 10 2020, 2:47 PM

Reported to Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962535

jbond subscribed.Apr 5 2021, 12:56 PM
MoritzMuehlenhoff mentioned this in T311368: Deprecate use of ssh-rsa keys?.Sep 29 2022, 10:44 AM
sbassett merged a task: T311368: Deprecate use of ssh-rsa keys?.Sep 29 2022, 5:44 PM
sbassett added subscribers: Reedy, sbassett, Lucas_Werkmeister_WMDE.
ayounsi closed subtask T254013: all network devices must run OpenSSH >= 7.2p1 but != 7.4p1 as Resolved.May 16 2023, 1:28 PM
jbond added a project: Infrastructure Security.May 22 2023, 3:47 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL