Page MenuHomeVyOS Platform

Ability to configure SSH HostKeyAlgorithms
Closed, ResolvedPublicFEATURE REQUEST

Description

Ability to configure SSH specific HostKeyAlgorithms

[email protected]# ssh -Q HostKeyAlgorithms
ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
webauthn-sk-ecdsa-sh[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[edit]
[email protected]#

Description sshd_config

HostKeyAlgorithms
        Specifies the host key signature algorithms that the server
        offers.  The default for this option is:

           [email protected],
           [email protected],
           [email protected],
           [email protected],
           [email protected],
           [email protected],
           [email protected],
           [email protected],
           [email protected],
           ssh-ed25519,
           ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
           [email protected],
           [email protected],
           rsa-sha2-512,rsa-sha2-256,ssh-rsa

https://man7.org/linux/man-pages/man5/sshd_config.5.html

Proposed CLI:

set service ssh hostkey-algorithm xxx|yyy|nnn

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Viacheslav changed the task status from Open to In progress.Oct 17 2022, 12:24 PM

PR https://github.com/vyos/vyos-1x/pull/1601

set service ssh hostkey-algorithm '[email protected]'
set service ssh hostkey-algorithm 'ssh-rsa'
Viacheslav changed the task status from In progress to Needs testing.Oct 20 2022, 3:27 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.

Seems to be not fully functional

as soon as I set "set service ssh hostkey-algorithm '[email protected]'", the SSH server rejects all SSH connections.

tom$ ssh [email protected]
Connection closed by 2a01:000:0:00::000 port 22

Also the system/login config part seems to not jet support the sk-ssh-ed25519 option.

[email protected]# set system login user vyos authentication public-keys KEY type 
Possible completions:
   ssh-dss              None
   ssh-rsa              None
   ecdsa-sha2-nistp256  None
   ecdsa-sha2-nistp384  None
   ssh-ed25519          None
   ecdsa-sha2-nistp521

Tested with the version "VyOS 1.4-rolling-202210280218"

@Arc771
Could you provide an example of how to generate the required keys? We will test it.
But It should be a separate task

This task allows support by sshd/ssh server/server_config
But key management is a different task

I reopened T4750

c-po reopened this task as Needs testing.Tue, Nov 1, 8:03 AM

First of all, sorry for my late reply. I was on vacation and stayed away from IT for a bit ;)

@Viacheslav
I'm not sure how familiar you are with these kinds of SSH keys.
You need a FIDO Key to generate/use these SSH keys. Like for example a YubiKey.

The current Linux versions all come with OpenSSH that already supports it.
On MacOS you need to update the OpenSSH version via eg. brew, because the one that comes with MacOS is a bit outdated.
No Idea how it is on Windows but as Windows itself has pretty good FIDO support, it should probably also work there.

to generate these SSH keys on Linux (in my example Debian 10) you just need to install the fido lib and you done.

apt install libfido2-dev
ssh-keygen -t ed25519-sk -C "comment"

Assuming you have set up and connected your FIDO Key.

Some useful information are:
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.u2f
https://forums.lawrencesystems.com/t/ssh-with-yubikey-fido-u2f-authentication/13024
https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html

On the server side, they're nothing special to do. As all current Linux versions support -sk keys out of the box, you just need to throw the public key into your authorised_keys file.

[email protected] AAAAGnNrLXNzaC1lZDI1N......

That's it.

@Arc771 Thanks, Could you check it in the next rolling release after 20221118?