Gentoo Archives: gentoo-dev

From: Mike Frysinger <vapier@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] [PATCH] document openssh-7.0 dsa key change #557388
Date: Thu, 13 Aug 2015 03:17:31
Message-Id: 1439435840-23541-1-git-send-email-vapier@gentoo.org
---
 .../2015-08-13-openssh-weak-keys.en.txt            | 26 ++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt

diff --git a/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt b/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt
new file mode 100644
index 0000000..8dece5e
--- /dev/null
+++ b/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt
@@ -0,0 +1,26 @@
+Title: OpenSSH 7.0 disables ssh-dss keys by default
+Author: Mike Frysinger <vapier@g.o>
+Content-Type: text/plain
+Posted: 2015-08-13
+Revision: 1
+News-Item-Format: 1.0
+Display-If-Installed: net-misc/openssh
+
+Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has
+been disabled by default at runtime.  If you rely on these key types,
+you will have to take corrective action or risk being locked out.
+
+Your best option is to generate new keys using newer types such as rsa
+or ecdsa or ed25519.  RSA keys will give you the greatest portability
+with other clients/servers while ed25519 will get you the best security
+with OpenSSH (but requires recent versions of client & server).
+
+If you are stuck with DSA keys, you can re-enable support locally by
+updating your sshd_config file with a line like so:
+	PubkeyAcceptedKeyTypes=+ssh-dss
+
+Be aware though that eventually OpenSSH will drop support for DSA keys
+entirely, so this is only a stop gap solution.
+
+More details can be found on OpenSSH's website:
+	http://www.openssh.com/legacy.html
-- 
2.4.4

Replies