FS#45515 - [openssh] make /etc/ssh/moduli a backup file

Attached to Project: Arch Linux
Opened by Christian Hesse (eworm) - Wednesday, 01 July 2015, 08:24 GMT
Last edited by Gaetan Bisson (vesath) - Tuesday, 24 November 2015, 00:39 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:
Openssh updated the /etc/ssh/moduli file and removed small primes (with size 1023/1024), which breaks old software for me. In general that is ok, I re-added some weak primes to make it work again. However this will be overwritten by next openssh package as /etc/ssh/moduli is not a backup file. Please make it a backup file.

Additional info:
openssh 6.9p1-1
This task depends upon

Closed by  Gaetan Bisson (vesath)
Tuesday, 24 November 2015, 00:39 GMT
Reason for closing:  Won't implement
Comment by Gaetan Bisson (vesath) - Wednesday, 01 July 2015, 09:43 GMT
It does not strike me as such a good idea. The moduli file contains critical public constant parameters that ensure openssh can interact with other SSH implementations. From that perspective, it should really not be "customized". And when upstream believes a certain set of parameters are compromised, they should really be removed from that file.

Now I can certainly understand that you wish to keep compatibility with legacy implementations at the cost of security. That is your right. However that is definitely not a use-case I (and certainly upstream) wish to encourage. Some would say you could just as well use telnet to communicate with such legacy software...

At any rate, if you are serious about enabling insecure moduli in openssh, I do not think it would be too much to ask that you either:
- willingly overwrite the moduli file after each Arch upgrade;
- fork and maintain your own openssh package.

Would any of the above be an acceptable solution for you?
Comment by Christian Hesse (eworm) - Wednesday, 01 July 2015, 10:29 GMT
pacman would update the file as long as it is not altered. And even if it is you get a file moduli.pacnew to handle the update.

But I can understand that you do not want to risk any security issues. So yes, I can handle that myself. ;)
Comment by Gaetan Bisson (vesath) - Wednesday, 01 July 2015, 17:02 GMT
Right but I really think this ought not to be user-configurable. You know what you are doing, and of course you can easily bypass the static /etc/moduli our package provides. But in my opinion it should not be made any easier. Thanks!
Comment by Yardena Cohen (yardenac) - Monday, 23 November 2015, 22:04 GMT
Some people want to replace the moduli with a MORE secure version. There are good reasons to do this. #47152 requested this, and was marked as a duplicate. Can we talk about it from that angle? Thanks.
Comment by John (graysky) - Monday, 23 November 2015, 22:32 GMT
Please see https://bugs.archlinux.org/task/47152 for some rationale behind this request to augment what the original reporter entered.

Users could fork and maintain our own openssh package as Gaetan points out, but that seems a higher energy solution than simply adding it to the backup array in the official package. This proposed modification would both 1) safe-guard an overwrite only on systems where the file was purposefully modified and 2) have no effect for those who have not modified the file.
Comment by Gaetan Bisson (vesath) - Tuesday, 24 November 2015, 00:39 GMT
Sorry but I have a hard time believing any of you guys knows what moduli settings are safe better than upstream. If you really want to change upstream's defaults, take full responsibility for this and build your own package. Tampering with the moduli file is not recommended security practice and should thus not be encouraged by our official package. I know this is not "convenient" for you but it is safer for the distro as a whole. Thanks for your understanding.

Loading...