1 |
On Wed, Aug 12, 2015 at 11:17 PM, Mike Frysinger <vapier@g.o> wrote: |
2 |
> --- |
3 |
> .../2015-08-13-openssh-weak-keys.en.txt | 26 ++++++++++++++++++++++ |
4 |
> 1 file changed, 26 insertions(+) |
5 |
> create mode 100644 2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt |
6 |
> |
7 |
> diff --git a/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt b/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt |
8 |
> new file mode 100644 |
9 |
> index 0000000..8dece5e |
10 |
> --- /dev/null |
11 |
> +++ b/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt |
12 |
> @@ -0,0 +1,26 @@ |
13 |
> +Title: OpenSSH 7.0 disables ssh-dss keys by default |
14 |
> +Author: Mike Frysinger <vapier@g.o> |
15 |
> +Content-Type: text/plain |
16 |
> +Posted: 2015-08-13 |
17 |
> +Revision: 1 |
18 |
> +News-Item-Format: 1.0 |
19 |
> +Display-If-Installed: net-misc/openssh |
20 |
> + |
21 |
> +Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has |
22 |
> +been disabled by default at runtime. If you rely on these key types, |
23 |
> +you will have to take corrective action or risk being locked out. |
24 |
> + |
25 |
> +Your best option is to generate new keys using newer types such as rsa |
26 |
> +or ecdsa or ed25519. RSA keys will give you the greatest portability |
27 |
> +with other clients/servers while ed25519 will get you the best security |
28 |
> +with OpenSSH (but requires recent versions of client & server). |
29 |
> + |
30 |
> +If you are stuck with DSA keys, you can re-enable support locally by |
31 |
> +updating your sshd_config file with a line like so: |
32 |
> + PubkeyAcceptedKeyTypes=+ssh-dss |
33 |
> + |
34 |
> +Be aware though that eventually OpenSSH will drop support for DSA keys |
35 |
> +entirely, so this is only a stop gap solution. |
36 |
> + |
37 |
> +More details can be found on OpenSSH's website: |
38 |
> + http://www.openssh.com/legacy.html |
39 |
|
40 |
I think this should also mention that PubkeyAcceptedKeyTypes applies |
41 |
to the ssh client, and can be added to ~/.ssh/config. |