Will/could there be some kind of UPDATING announcement re which files explicitly to switch out/remove/replace/checkfor etc the deprecated lines and precisely the steps to replace with new or some other suitable action? Action required for both the sshd and client? Subdirectories involved? etc... Unclear here, but I don't use SSH hardly yet... despite having bought the book.
On Mon, 8 Aug 2016 14:57:05 -0700, Devin Teske <dte...@freebsd.org> wrote: > > > On Aug 8, 2016, at 12:39 PM, Bernard Spil <bern...@bachfreund.nl> wrote: > > > > Hi Devin, > > > > This resource documents the choices pretty well I think > > https://stribika.github.io/2015/01/04/secure-secure-shell.html > > <https://stribika.github.io/2015/01/04/secure-secure-shell.html> > > Author has made some modifications up to Jan 2016 > > https://github.com/stribika/stribika.github.io/commits/master/_posts/2015-01-04-secure-secure-shell.md > > > > <https://github.com/stribika/stribika.github.io/commits/master/_posts/2015-01-04-secure-secure-shell.md> > > > > The short answer then is ed25519 or rsa4096, disable both dsa and ecdsa. > > > > Even 6.5p1 shipped with 9.3 supports ed25519. > > > > Cheers, > > > > Bernard. > > > > Thanks for confirming, Bernard! > -- > Cheers, > Devin > > > > On 2016-08-08 19:56, Devin Teske wrote: > >> Which would you use? > >> ECDSA? > >> https://en.wikipedia.org/wiki/Elliptic_curve_cryptography > >> <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography> > >> <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography > >> <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography>> > >> "" In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover > >> operation", cryptography experts have also expressed concern over the > >> security of the NIST recommended elliptic curves,[31] > >> <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#cite_note-31 > >> <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#cite_note-31>> > >> suggesting a return to encryption based on non-elliptic-curve groups. > >> "" > >> Or perhaps RSA? (as des@ recommends) > >> (not necessarily to Glen but anyone that wants to answer) > >> -- > >> Devin > >>> On Aug 4, 2016, at 6:59 PM, Glen Barber <g...@freebsd.org> wrote: > >>> -----BEGIN PGP SIGNED MESSAGE----- > >>> Hash: SHA256 > >>> This is a heads-up that OpenSSH keys are deprecated upstream by OpenSSH, > >>> and will be deprecated effective 11.0-RELEASE (and preceeding RCs). > >>> Please see r303716 for details on the relevant commit, but upstream no > >>> longer considers them secure. Please replace DSA keys with ECDSA or RSA > >>> keys as soon as possible, otherwise there will be issues when upgrading > >>> from 11.0-BETA4 to the subsequent 11.0 build, but most definitely the > >>> 11.0-RELEASE build. > >>> Glen > >>> On behalf of: re@ and secteam@ > >>> -----BEGIN PGP SIGNATURE----- > >>> Version: GnuPG v2 > >>> iQIcBAEBCAAGBQJXo/L2AAoJEAMUWKVHj+KTG3sP/3j5PBVMBlYVVR+M4PUoRJjb > >>> kShIRFHzHUV9YzTIljtqOVf/f/mw3kRHA4fUonID5AJlo23ht9cwGOvGUi5H3lBK > >>> rnL9vsU9lvZoGyaHLpR/nikMOaRTa8bl1cdpULlEGH94HEzDuLT92AtAZ5HtdDEl > >>> GcXRfTe3eGOaxcqNSF8NKSMQQ8rzbKmsgsa5Cbf0PYToemn3xyPAr+9Nz8tbSrlR > >>> TrrFhzOR6+Ix0NcYJAKs6RUZ2kgbAheYF6nQmAHlJzyBihlfdfieJdysqNwSOQ8u > >>> c7CyBLNFrGKqYTDVQI36MUwoyVtEqbOjt3cPitsMsD3fVAf05H7dHp/0iqrUghUs > >>> 60HYOjfmvZxH5wvhEPdv/wPLAZeosdQgW8np3Y5cztw7cxZXF+PxoMjRcnXVpQ2c > >>> QIZg3RsiQmJtAT4Z2OuvYikqGzrpsVido0um/KMM9b82XilJExxPPzgEpXCK3CE8 > >>> 7TchzrRA/W27eST4VXoNYrrMlmpavur1IxvMS54fBOu98efTIoER6uJc1t7qcL6r > >>> mEVmBoMqecg+auuWqz50Bh8K329dlYuGLMbk/Ktc3agXtpkw88ylDmC6l5N7qrnL > >>> kSb4i3DboU7R1cltiin3c/P+ahwfKQdNH18QbN3utJuzSSRVvXq4laUGFlRhWEEx > >>> bLbbH2fh5bxDmDXDMdCF > >>> =LLtP > >>> -----END PGP SIGNATURE----- > >>> _______________________________________________ > >>> freebsd-annou...@freebsd.org mailing list > >>> https://lists.freebsd.org/mailman/listinfo/freebsd-announce > >>> To unsubscribe, send any mail to > >>> "freebsd-announce-unsubscr...@freebsd.org" > >> _______________________________________________ > >> freebsd-sta...@freebsd.org <mailto:freebsd-sta...@freebsd.org> mailing list > >> https://lists.freebsd.org/mailman/listinfo/freebsd-stable > >> <https://lists.freebsd.org/mailman/listinfo/freebsd-stable> > >> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org > >> <mailto:freebsd-stable-unsubscr...@freebsd.org>" > > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
