Gentoo Archives: gentoo-dev

From: Mike Gilbert <floppym@g.o>
To: Gentoo Dev <gentoo-dev@l.g.o>
Subject: Re: [gentoo-dev] [PATCH] document openssh-7.0 dsa key change #557388
Date: Thu, 13 Aug 2015 21:18:32
Message-Id: CAJ0EP42kb=sE8+34jMPE5RMMkTGoLdh9+ahE6HR2U21mG_5R8w@mail.gmail.com
In Reply to: [gentoo-dev] [PATCH] document openssh-7.0 dsa key change #557388 by Mike Frysinger
1 On Wed, Aug 12, 2015 at 11:17 PM, Mike Frysinger <vapier@g.o> wrote:
2 > ---
3 > .../2015-08-13-openssh-weak-keys.en.txt | 26 ++++++++++++++++++++++
4 > 1 file changed, 26 insertions(+)
5 > create mode 100644 2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt
6 >
7 > diff --git a/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt b/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt
8 > new file mode 100644
9 > index 0000000..8dece5e
10 > --- /dev/null
11 > +++ b/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt
12 > @@ -0,0 +1,26 @@
13 > +Title: OpenSSH 7.0 disables ssh-dss keys by default
14 > +Author: Mike Frysinger <vapier@g.o>
15 > +Content-Type: text/plain
16 > +Posted: 2015-08-13
17 > +Revision: 1
18 > +News-Item-Format: 1.0
19 > +Display-If-Installed: net-misc/openssh
20 > +
21 > +Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has
22 > +been disabled by default at runtime. If you rely on these key types,
23 > +you will have to take corrective action or risk being locked out.
24 > +
25 > +Your best option is to generate new keys using newer types such as rsa
26 > +or ecdsa or ed25519. RSA keys will give you the greatest portability
27 > +with other clients/servers while ed25519 will get you the best security
28 > +with OpenSSH (but requires recent versions of client & server).
29 > +
30 > +If you are stuck with DSA keys, you can re-enable support locally by
31 > +updating your sshd_config file with a line like so:
32 > + PubkeyAcceptedKeyTypes=+ssh-dss
33 > +
34 > +Be aware though that eventually OpenSSH will drop support for DSA keys
35 > +entirely, so this is only a stop gap solution.
36 > +
37 > +More details can be found on OpenSSH's website:
38 > + http://www.openssh.com/legacy.html
39
40 I think this should also mention that PubkeyAcceptedKeyTypes applies
41 to the ssh client, and can be added to ~/.ssh/config.

Replies