commit: 866783aa60341e4a45a9cda16ed4d90f0770f3ef Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> AuthorDate: Thu Aug 13 03:16:44 2015 +0000 Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> CommitDate: Fri Aug 14 00:34:18 2015 +0000 URL: https://gitweb.gentoo.org/proj/gentoo-news.git/commit/?id=866783aa
document openssh-7.0 dsa key change #557388 .../2015-08-13-openssh-weak-keys.en.txt | 27 ++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt b/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt new file mode 100644 index 0000000..1c4f296 --- /dev/null +++ b/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt @@ -0,0 +1,27 @@ +Title: OpenSSH 7.0 disables ssh-dss keys by default +Author: Mike Frysinger <[email protected]> +Content-Type: text/plain +Posted: 2015-08-13 +Revision: 1 +News-Item-Format: 1.0 +Display-If-Installed: net-misc/openssh + +Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has +been disabled by default at runtime due to their inherit weakness. If +you rely on these key types, you will have to take corrective action or +risk being locked out. + +Your best option is to generate new keys using strong algos such as rsa +or ecdsa or ed25519. RSA keys will give you the greatest portability +with other clients/servers while ed25519 will get you the best security +with OpenSSH (but requires recent versions of client & server). + +If you are stuck with DSA keys, you can re-enable support locally by +updating your sshd_config and ~/.ssh/config files with lines like so: + PubkeyAcceptedKeyTypes=+ssh-dss + +Be aware though that eventually OpenSSH will drop support for DSA keys +entirely, so this is only a stop gap solution. + +More details can be found on OpenSSH's website: + http://www.openssh.com/legacy.html
