Article 5NYCC RSA/SHA1 signature type disabled by default in OpenSSH

RSA/SHA1 signature type disabled by default in OpenSSH

by
from OpenBSD Journal on (#5NYCC)

In amessage to tech@Damien Miller (djm@)explained the consequences of his recentcommit:

[...]RSA/SHA1, a.k.a the "ssh-rsa" signature type is now disabled by defaultin OpenSSH.While The SSH protocol confusingly uses overlapping names for key andsignature algorithms, this does not stop the use of RSA keys and thereis no need to regenerate "ssh-rsa" keys - most servers released in thelast five years will automatically negotiate the use of RSA/SHA-256/512signatures.This has been coming for a long time, but I do expect it will bedistruptive for some people as there are likely to be some devicesout there that cannot be upgraded to support the safer algorithms.In these cases, it is possible to selectively re-enable RSA/SHA1support by specifying PubkeyAcceptedAlgorithms=+ssh-rsa in thessh_config(5) or sshd_config(5) for the endpoint.Please report any problems here, to bugs@ or to openssh@[...]

TL;DR:

  • The "ssh-rsa" signature type is now disabled by default.
  • "ssh-rsa" signatures can be selectively re-enabled if necessary.
  • RSA ("ssh-rsa")keys are not affected by this change and remain valid.
External Content
Source RSS or Atom Feed
Feed Location http://undeadly.org/cgi?action=rss
Feed Title OpenBSD Journal
Feed Link http://undeadly.org/
Reply 0 comments