[pve-devel] [RFC container] setup: remove deprecated dsa from ssh host key generation
Wolfgang Bumiller
w.bumiller at proxmox.com
Thu Jun 26 13:36:32 CEST 2025
On Wed, Jun 25, 2025 at 11:56:31AM +0200, Daniel Kral wrote:
> OpenSSH 10.0 removes support for the DSA signature algorithm [0], which
> is the base version that will be shipped for Debian 13 trixie [1]. Since
> it has been marked deprecated for some time and generating DSA
> signatures with OpenSSH 10.0 will fail, remove it.
We should probably actively remove existing dsa host keys in case a
container template ships them, just to make sure older distro containers
won't end up all sharing the same DSA key when created on a trixie
pve...
In fact, maybe we should remove all files matching
`/etc/ssh/ssh_host_*` in the setup code, in case there are types we
missed?
>
> [0] https://www.openssh.com/txt/release-10.0
> [1] https://www.debian.org/releases/trixie/release-notes/whats-new.en.html
>
> Signed-off-by: Daniel Kral <d.kral at proxmox.com>
> ---
> Sending it as a RFC as I'm unsure if there's any other repercussions
> removing it here. AFAICS it seems this is the only site where we
> generate DSA signatures.
>
> src/PVE/LXC/Setup/Base.pm | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
> index 6bdfb8d..dbfc775 100644
> --- a/src/PVE/LXC/Setup/Base.pm
> +++ b/src/PVE/LXC/Setup/Base.pm
> @@ -646,7 +646,6 @@ sub ssh_host_key_types_to_generate {
>
> return {
> rsa => 'ssh_host_rsa_key',
> - dsa => 'ssh_host_dsa_key',
> ecdsa => 'ssh_host_ecdsa_key',
> ed25519 => 'ssh_host_ed25519_key',
> };
> --
> 2.39.5
More information about the pve-devel
mailing list