On 02/23/2020 01:06 AM, Bob Proulx wrote: [...] > Clear enough. "ssh-rsa" is being deprecated. If we see "ssh-rsa" > in our authorized_keys file we should migrate away from it. Gotcha. [...] > Hmm... "ssh-rsa" is okay if we are using other than SHA-1 signature > hashes. Hmm... But, but, but... "ssh-rsa" is being deprecated! As > stated just in the previous paragraph! Cognitive Dissonance! > > Could these statements be clarified for the poor feeble minded folks [...] I was confused in pretty much the same way - until I shoved a suitably old RSA keypair onto a freshly installed machine and did an "ssh -vvv -i $THE_OLD_PRIVKEY localhost": [...] > debug2: we sent a publickey packet, wait for reply [...] > debug3: sign_and_send_pubkey: signing using rsa-sha2-256 > debug3: send packet: type 50 > debug3: receive packet: type 52 > debug1: Authentication succeeded (publickey). [...] Then I ran "ssh-keygen -t rsa-sha2-256 ...", and lo: > $ sed -e 's/ .* / ... /' .ssh/id_rsa.pub > ssh-rsa ... Jochen.Bern@xxxxxxxxx My conclusion (pending smiting by the actual experts on this list ;-) : An RSA *keypair* is *just* RSA until the moment it gets used, while a *certificate* is *signed in its creation*, which pinpoints a hash function *therein* once and for all; note how the up-to-date ssh-keygen manpage gives a list of keywords for the "-t" option that includes only "rsa", and then continues to mention "rsa-sha2-256" and "rsa-sha2-512" *for certificate creation*. (I'm nonetheless urging the local users to create new *RSA and ed25519* keypairs on this occasion, the latter as a failsafe if some then "olden-style RSA" should one day go the way of sudden blacklisting, and a new RSA keypair per my how-to so that they'll have one with *all three* boosts to security (-b ... -a ... -m RFC4716).) Kind regards, -- Jochen Bern Systemingenieur Binect GmbH Robert-Koch-Straße 9 64331 Weiterstadt
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
