Slackware 15.0: consider libssh2 upgrade so RSA keys remain usable
by jwoithe from LinuxQuestions.org on (#6QNS1)
As is well known, the RSA sha1 key algorithms are no longer supported by OpenSSH due to security issues. If RSA keys are to be used, the sha2 exchange algorithms (rsa-sha2-512 and rsa-sha2-256) should be used instead.
The version of libssh2 currently in Slackware 15.0 is 1.10.0. Support for the RSA sha2 algorithms was introduced in version 1.11.0. This means that any client of libssh2 on Slackware 15.0 (such as curl for example) cannot connect to servers which run recent versions of OpenSSH or are manually configured to reject the old sha1 algorithm. This affects an increasing number of servers on the internet, including significant sites such as github. When running software such as curl, users of Slackware 15.0 are forced to either use an insecure algorithm (if the server allows it) or shift to a different key type (which may not be practically possible).
A reasonably complete discussion of this issue can be found in libssh2's issue 536.
As far as I can tell, the libssh2 ABI has not changed with version 1.11.0 so clients will not need a rebuild. I have successfully tested the compilation of libssh2 with the Slackware 15.0 libssh2.SlackBuild script. With the resulting library in place, curl continues to work correctly without a rebuild and is able to connect to an up-to-date Slackware box with an RSA key. Using the Slackware 15.0 libssh2 1.10.0, the same RSA key is rejected by the server due to the use of the sha1 algorithm.
In light of the increasing inability to use libssh2 clients to connect using RSA keys with the insecure sha1 exchange algorithm, could an upgrade to libssh2 1.11.0 be considered for Slackware 15.0 so the RSA keys can still be utilised where needed?
The version of libssh2 currently in Slackware 15.0 is 1.10.0. Support for the RSA sha2 algorithms was introduced in version 1.11.0. This means that any client of libssh2 on Slackware 15.0 (such as curl for example) cannot connect to servers which run recent versions of OpenSSH or are manually configured to reject the old sha1 algorithm. This affects an increasing number of servers on the internet, including significant sites such as github. When running software such as curl, users of Slackware 15.0 are forced to either use an insecure algorithm (if the server allows it) or shift to a different key type (which may not be practically possible).
A reasonably complete discussion of this issue can be found in libssh2's issue 536.
As far as I can tell, the libssh2 ABI has not changed with version 1.11.0 so clients will not need a rebuild. I have successfully tested the compilation of libssh2 with the Slackware 15.0 libssh2.SlackBuild script. With the resulting library in place, curl continues to work correctly without a rebuild and is able to connect to an up-to-date Slackware box with an RSA key. Using the Slackware 15.0 libssh2 1.10.0, the same RSA key is rejected by the server due to the use of the sha1 algorithm.
In light of the increasing inability to use libssh2 clients to connect using RSA keys with the insecure sha1 exchange algorithm, could an upgrade to libssh2 1.11.0 be considered for Slackware 15.0 so the RSA keys can still be utilised where needed?