Allow SHA1 deprecation for rsa-sha

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

Following the fix [1] being released on 7.5, now SHA2 RSA signature
methods work properly.

On the other hand it is still not possible to disable SHA1 RSA alone
(as an example, as SHA2-256 or SHA2-512 could also potentially be not
desirable), where it is considered insecure or undesirable.

I am proposing to add a mechanism, and happy to submit a patch, to
enable selection of the Hashes allowed for RSA. If all or any of SHA1,
SHA2-256, and SHA2-512.

The straighforward solution would be just to adapt all options that
currently accept "ssh-rsa" to mean that they accept
(SHA1,SHA2-256,SHA2-512), and to use rsa-sha2-256 and rsa-sha2-512 to
mean just the specific hash formats.

So ssh-rsa would mean the same as now, and in the future deprecation
for sha1 could be enforced by replacing the config with
"rsa-sha2-256,rsa-sha2-512".

Unfortunately this doesn't cover the possibility the user wants to
disable instead sha2 and only allow sha1.

For that case I propose to extend keytypes at sshkey.c, with an
additional "rsa-sha1" algorithm.

This means that ssh-rsa would be the "legacy" configuration, with the
same meaning as "rsa-sha1, rsa-sha2-256, rsa-sha2-512".

I would appreciate comments if this is seen fit.

Also, since I am lacking on understanding the ssh protocol, I question
if this sha2 extensions also apply "ssh-rsa-cert-v01@xxxxxxxxxxx".

Thanks,
Nuno

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2680
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux