| 1 |
--- |
| 2 |
.../2015-08-13-openssh-weak-keys.en.txt | 26 ++++++++++++++++++++++ |
| 3 |
1 file changed, 26 insertions(+) |
| 4 |
create mode 100644 2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt |
| 5 |
|
| 6 |
diff --git a/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt b/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt |
| 7 |
new file mode 100644 |
| 8 |
index 0000000..8dece5e |
| 9 |
--- /dev/null |
| 10 |
+++ b/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt |
| 11 |
@@ -0,0 +1,26 @@ |
| 12 |
+Title: OpenSSH 7.0 disables ssh-dss keys by default |
| 13 |
+Author: Mike Frysinger <vapier@g.o> |
| 14 |
+Content-Type: text/plain |
| 15 |
+Posted: 2015-08-13 |
| 16 |
+Revision: 1 |
| 17 |
+News-Item-Format: 1.0 |
| 18 |
+Display-If-Installed: net-misc/openssh |
| 19 |
+ |
| 20 |
+Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has |
| 21 |
+been disabled by default at runtime. If you rely on these key types, |
| 22 |
+you will have to take corrective action or risk being locked out. |
| 23 |
+ |
| 24 |
+Your best option is to generate new keys using newer types such as rsa |
| 25 |
+or ecdsa or ed25519. RSA keys will give you the greatest portability |
| 26 |
+with other clients/servers while ed25519 will get you the best security |
| 27 |
+with OpenSSH (but requires recent versions of client & server). |
| 28 |
+ |
| 29 |
+If you are stuck with DSA keys, you can re-enable support locally by |
| 30 |
+updating your sshd_config file with a line like so: |
| 31 |
+ PubkeyAcceptedKeyTypes=+ssh-dss |
| 32 |
+ |
| 33 |
+Be aware though that eventually OpenSSH will drop support for DSA keys |
| 34 |
+entirely, so this is only a stop gap solution. |
| 35 |
+ |
| 36 |
+More details can be found on OpenSSH's website: |
| 37 |
+ http://www.openssh.com/legacy.html |
| 38 |
-- |
| 39 |
2.4.4 |
Archives