Change Details

Split from T2182. Some of the SSH keys defined in https://devcentral.nasqueron.org/source/operations/browse/main/pillar/core/users.sls still contain legacy RSA keys with SHA-1 signature (`ssh-rsa` type). Both Debian 13 (Trixie) and FreeBSD 14 uses recent OpenSSH version, which removed support for that algo. We need to detect and reach relevant users to update their keys. Deliverable: Python script to read keys and output the pair {username, legacy SSH key}

**Context** Split from T2182. Some of the SSH keys defined in [[ https://devcentral.nasqueron.org/source/operations/browse/main/pillar/core/users.sls | pillar/core/users.sls ]] still contain legacy RSA keys with SHA-1 signature (`ssh-rsa` type). OpenSSH 8.8+ disabled by default this algo, as collisions have been demonstrated for SHA-1. Both Debian 13 (Trixie) and FreeBSD 14 uses recent OpenSSH version, so users with SHA-1 keys can't login anymore. We need to detect and reach relevant users to update their keys. **Deliverable** * Python script in rOPS utils/ directory to read keys and output the pair {username, legacy SSH key} * Create [[ https://devcentral.nasqueron.org/maniphest/task/edit/form/5/ | one security issue task ]] per user concerned **References** * Gaëtan Leurent and Thomas Peyrin. 2020. “[[ https://www.usenix.org/conference/usenixsecurity20/presentation/leurent | SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust ]]” In Proceedings of the 29th USENIX Security Symposium (USENIX Security 20), 1839-1856. USENIX Association. * [[ https://www.openssh.org/txt/release-8.8 | OpenSSH 8.8 release notes ]]. 2021.

**Context** Split from T2182. Some of the SSH keys defined in [[ https://devcentral.nasqueron.org/source/operations/browse/main/pillar/core/users.sls | pillar/core/users.sls ]] still contain legacy RSA keys with SHA-1 signature (`ssh-rsa` type). OpenSSH 8.8+ disabled by default this algo, as collisions have been demonstrated for SHA-1. Both Debian 13 (Trixie) and FreeBSD 14 uses recent OpenSSH version, which removed support for that algoso users with SHA-1 keys can't login anymore. We need to detect and reach relevant users to update their keys. **Deliverable:** * Python scriptt in rOPS utils/ directory to read keys and output the pair {username, legacy SSH key} * Create [[ https://devcentral.nasqueron.org/maniphest/task/edit/form/5/ | one security issue task ]] per user concerned **References** * Gaëtan Leurent and Thomas Peyrin. 2020. “[[ https://www.usenix.org/conference/usenixsecurity20/presentation/leurent | SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust ]]” In Proceedings of the 29th USENIX Security Symposium (USENIX Security 20), 1839-1856. USENIX Association. * [[ https://www.openssh.org/txt/release-8.8 | OpenSSH 8.8 release notes ]]. 2021.