Disabling authentication via DSA keys in OpenSSH?
I will first dispute your reasons for deactivating DSA and ECDSA:
- There is no known weakness in either which makes them "more vulnerable" than plain RSA.
- There has been badly made implementations of DSA or ECDSA; however, there has also been badly made implementations of RSA, and in some case it resulted in RSA key leakage (e.g. Bleichenbacher's attack).
- While (EC)DSA requires a fresh source of good randomness, (EC)DSA key generation is vastly easier to perform than RSA key generation. Badly generated RSA keys appear to happen a lot in practice. This article includes an interesting quote about Arjen Lenstra (whom I would personally trust much more on security matters than almost everybody else):
He said that other formulas such as Diffie-Hellman and DSA aren't as vulnerable because the duplication of a factor makes a key holder vulnerable only to the person who holds the corresponding certificate. "If you have a collision, you only affect one other person. You can hurt them and they can hurt you, but you haven't made it public to everybody and their mother."
If you do not have quality randomness on your server you are doomed anyway.
As for performance, DSA signature verification is no more expensive than the Diffie-Hellman key exchange which takes place anyway at the beginning of each connection. We are talking about one millisecond or so here on a basic PC; I suggest making actual measures before declaring some cryptographic algorithms guilty of slowness. And ECDSA will be typically ten times faster than DSA.
That being said, if you are really intent on deactivating (EC)DSA support on your SSH server, I suggest recompiling OpenSSH (starting with the source for the version packaged in your specific OS) after deactivating DSA and ECDSA in it (look for the key.c
, function key_verify()
: it suffices to modify it so that (EC)DSA verification always fails, and you will never accept any (EC)DSA-based authentication).
(There does not appear to be an option to selectively deactivate support for asymmetric algorithms. Your server will be deemed to implicitly allow DSA if it has a DSA key, which somehow makes sense. As for client authentication, in the SSH model, this is a decision which is up to each user, who decides to include or not include his RSA/DSA/ECDSA public key in his .ssh/authorized_keys
. This might be a case for user education, after all.)
EDIT: As indicated in dave_thompson_085's comment, this solution requires OpenSSH release 7.0 or newer, and will not work for OpenSSH 5.9 as requested by the original poster. Left as a reference for users of OpenSSH 7.0 and newer with the same goals.
As per the current OpenBSD sshd_config(5) man page, it is possible to restrict the use of DSA/ECDSA by excluding it from the HostKeyAlgorithms
http://man.openbsd.org/OpenBSD-6.1/sshd_config.5
In the HostKey section:
Note that sshd(8) will refuse to use a file if it is group/world-accessible and that the HostKeyAlgorithms option restricts which of the keys are actually used by sshd(8).
So by specifying other algorithms (you can get a list using “ssh -Q key”) you can eliminate it's use. Eg.
HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa
I should note that the above quotation is not in all older versions of the man page, so this may not work on your version.