Bug 1687511

Summary: ssh-keygen -t dsa key failing in rhel8
Product: Red Hat Enterprise Linux 8 Reporter: Barry Marson <bmarson>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.0CC: tmraz
Target Milestone: rc   
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-11 20:33:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Barry Marson 2019-03-11 16:10:21 UTC 
Description of problem:

I have attempted on multiple boxes to create a dsa key to provide simple trusted ssh access between my cluster nodes.  It is being rejected.  Is it deprecated ?  rsa works fine.

Version-Release number of selected component (if applicable):
RHEL-8.0-20181120.0

How reproducible:
every time

Steps to Reproduce:
[root@pats .ssh]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:3+8jYRu0fBnACuo+DDuiCZ+Lh8idaB3OcNdpKSh5OdM root.lab.eng.bos.redhat.com
The key's randomart image is:
+---[DSA 1024]----+
|           .     |
|        .   o    |
|       . . . .   |
|      .   . . .  |
|  . +.. S  o . o |
| + O.E.= . .* o  |
|+.@ *=o   ...=   |
|+BoBo +     o..  |
|=o+o . .     oo. |
+----[SHA256]-----+

[root@pats .ssh]# ls -l
total 12
-rw-------. 1 root root 1413 Mar 11 11:53 id_dsa
-rw-r--r--. 1 root root  627 Mar 11 11:53 id_dsa.pub
-rw-r--r--. 1 root root  179 Mar 11 11:51 known_hosts

[root@pats .ssh]# ssh `hostname`
The authenticity of host 'pats.perf.lab.eng.bos.redhat.com (10.16.28.106)' can't be established.
ECDSA key fingerprint is SHA256:uFLtiB/zfGAB8xrDII3fi9QfZjN80NvoOOK6OpYmt4M.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'pats.perf.lab.eng.bos.redhat.com,10.16.28.106' (ECDSA) to the list of known hosts.
root.lab.eng.bos.redhat.com's password: 
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Tue Mar  5 13:36:16 2019 from 10.18.81.20
[root@pats ~]# logout

[root@pats .ssh]# cat id_dsa.pub > authorized_keys
[root@pats .ssh]# ssh `hostname`
root.lab.eng.bos.redhat.com's password: 


Actual results:
asks for password

Expected results:
should just log in.

Additional info:
Comment 1 Barry Marson 2019-03-11 20:33:08 UTC 
Was just advised this was deprecated.  Closing .. sorry
Comment 2 Jakub Jelen 2019-03-12 10:00:52 UTC 
Yes. Do not use DSA if you like security.

https://bugzilla.redhat.com/show_bug.cgi?id=1646541