Page MenuHomeVyOS Platform
Create Task
Maniphest T4720

Ability to configure SSH HostKeyAlgorithms
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Ability to configure SSH specific HostKeyAlgorithms

vyos@r14# ssh -Q HostKeyAlgorithms
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
webauthn-sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
[edit]
vyos@r14#

Description sshd_config

HostKeyAlgorithms
        Specifies the host key signature algorithms that the server
        offers.  The default for this option is:

           ssh-ed25519-cert-v01@openssh.com,
           ecdsa-sha2-nistp256-cert-v01@openssh.com,
           ecdsa-sha2-nistp384-cert-v01@openssh.com,
           ecdsa-sha2-nistp521-cert-v01@openssh.com,
           sk-ssh-ed25519-cert-v01@openssh.com,
           sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
           rsa-sha2-512-cert-v01@openssh.com,
           rsa-sha2-256-cert-v01@openssh.com,
           ssh-rsa-cert-v01@openssh.com,
           ssh-ed25519,
           ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
           sk-ssh-ed25519@openssh.com,
           sk-ecdsa-sha2-nistp256@openssh.com,
           rsa-sha2-512,rsa-sha2-256,ssh-rsa

https://man7.org/linux/man-pages/man5/sshd_config.5.html

Proposed CLI:

set service ssh hostkey-algorithm xxx|yyy|nnn

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects
Search...

StatusSubtypeAssignedTask
 In progressFEATURE REQUESTNoneT4712 Collaborative Protection Profile cPP for Network Devices root task
 ResolvedFEATURE REQUESTViacheslavT4720 Ability to configure SSH HostKeyAlgorithms

Event Timeline

Viacheslav created this task.Sep 28 2022, 5:26 PM
Viacheslav mentioned this in T4750: Support of higher level SSH keys (sk-ssh-ed25519).Oct 14 2022, 12:29 PM
Viacheslav changed the task status from Open to In progress.Oct 17 2022, 12:24 PM

PR https://github.com/vyos/vyos-1x/pull/1601

set service ssh hostkey-algorithm 'sk-ssh-ed25519@openssh.com'
set service ssh hostkey-algorithm 'ssh-rsa'
Viacheslav claimed this task.Oct 17 2022, 12:25 PM
Viacheslav added a subscriber: Unknown Object (User).Oct 17 2022, 1:42 PM
Restricted Repository Identity mentioned this in rVYOSONEX0ac50cd67c14: Merge pull request #1601 from sever-sever/T4720.Oct 20 2022, 3:27 PM
Viacheslav mentioned this in rVYOSONEX3ff47d3388fb: T4720: Add smoketest for SSH NDcPP.Oct 20 2022, 3:27 PM
Viacheslav mentioned this in rVYOSONEX85f04237160a: ssh: T4720: Ability to configure SSH-server HostKeyAlgorithms.
Viacheslav changed the task status from In progress to Needs testing.Oct 20 2022, 3:27 PM
Viacheslav closed this task as Resolved.Oct 25 2022, 5:01 PM
Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.
Unknown Object (User) added a comment.Oct 31 2022, 5:00 PM

Seems to be not fully functional

as soon as I set "set service ssh hostkey-algorithm 'sk-ssh-ed25519@openssh.com'", the SSH server rejects all SSH connections.

tom$ ssh user@host.name
Connection closed by 2a01:000:0:00::000 port 22

Also the system/login config part seems to not jet support the sk-ssh-ed25519 option.

user@host.name# set system login user vyos authentication public-keys KEY type 
Possible completions:
   ssh-dss              None
   ssh-rsa              None
   ecdsa-sha2-nistp256  None
   ecdsa-sha2-nistp384  None
   ssh-ed25519          None
   ecdsa-sha2-nistp521

Tested with the version "VyOS 1.4-rolling-202210280218"

Viacheslav added a comment.Nov 1 2022, 8:01 AM

@Arc771
Could you provide an example of how to generate the required keys? We will test it.
But It should be a separate task

This task allows support by sshd/ssh server/server_config
But key management is a different task

I reopened T4750

c-po reopened this task as Needs testing.Nov 1 2022, 8:03 AM
Unknown Object (User) added a comment.Nov 15 2022, 2:32 PM

First of all, sorry for my late reply. I was on vacation and stayed away from IT for a bit ;)

@Viacheslav
I'm not sure how familiar you are with these kinds of SSH keys.
You need a FIDO Key to generate/use these SSH keys. Like for example a YubiKey.

The current Linux versions all come with OpenSSH that already supports it.
On MacOS you need to update the OpenSSH version via eg. brew, because the one that comes with MacOS is a bit outdated.
No Idea how it is on Windows but as Windows itself has pretty good FIDO support, it should probably also work there.

to generate these SSH keys on Linux (in my example Debian 10) you just need to install the fido lib and you done.

apt install libfido2-dev
ssh-keygen -t ed25519-sk -C "comment"

Assuming you have set up and connected your FIDO Key.

Some useful information are:
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.u2f
https://forums.lawrencesystems.com/t/ssh-with-yubikey-fido-u2f-authentication/13024
https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html

On the server side, they're nothing special to do. As all current Linux versions support -sk keys out of the box, you just need to throw the public key into your authorised_keys file.

sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1N......

That's it.

Viacheslav added a comment.Nov 18 2022, 8:42 PM

@Arc771 Thanks, Could you check it in the next rolling release after 20221118?

Unknown Object (User) added a comment.Nov 19 2022, 11:46 AM

@Viacheslav Works!

Thanks for your great work!

Viacheslav closed this task as Resolved.Nov 19 2022, 4:00 PM