On Sat, Feb 22, 2020 at 05:06:29PM -0700, Bob Proulx wrote: > Damien Miller wrote: > > Future deprecation notice > > ========================= > > > > It is now possible[1] to perform chosen-prefix attacks against the > > SHA-1 algorithm for less than USD$50K. For this reason, we will be > > disabling the "ssh-rsa" public key signature algorithm by default in a > > near-future release. > > Clear enough. "ssh-rsa" is being deprecated. If we see "ssh-rsa" > in our authorized_keys file we should migrate away from it. Gotcha. > I assume this is for both user keys and for host keys so the same > would apply to the known_hosts file too. > > grep ssh-rsa ~/.ssh/authorized_keys && echo Deprecation Waring: Time to upgrade! No, the deprecation notice is talking about the key signature algorithm, not the key type. SSH clients and servers agree a key signature algorithm as part of their protocol negotiation. For RSA keys, all of "ssh-rsa", "rsa-sha2-256", and "rsa-sha2-512" exist, using SHA-1, SHA-256, and SHA-512 respectively as their hash algorithms. Unfortunately, the string "ssh-rsa" is used as both a key type name in authorized_keys and as a key signature algorithm name, which has caused a good deal of confusion with this deprecation notice, but the two aren't actually the same thing. My understanding is (and more knowledgeable people should correct me if I'm wrong) that this deprecation notice affects the following people: * Users of OpenSSH certificates (see the CERTIFICATES section in ssh-keygen(1)); these may need to arrange for certificates to be re-signed using a stronger signature algorithm. * Users who have explicitly specified "ssh-rsa" in CASignatureAlgorithms, HostbasedKeyTypes, HostbasedAcceptedKeyTypes, HostKeyAlgorithms, or PubkeyAcceptedKeyTypes in their client configuration files (~/.ssh/config or ssh_config); these need to ensure that at least one of "rsa-sha2-256" and "rsa-sha2-512" is listed there as well. * Users connecting to old or poorly-configured servers that offer RSA host keys; in a future OpenSSH release, these may find that they need to configure "HostKeyAlgorithms +ssh-rsa" for those hosts in order to connect. * Users of straightforward RSA public keys authenticating to old or poorly-configured servers; in a future OpenSSH release, these may find that they need to configure "PubkeyAcceptedKeyTypes +ssh-rsa" for those hosts in order to authenticate. * Operators of older server software; these may need to upgrade to support the "rsa-sha2-256" or "rsa-sha2-512" signature algorithms. * Operators of OpenSSH servers who have explicitly specified "ssh-rsa" in CASignatureAlgorithms, HostbasedAcceptedKeyTypes, HostKeyAlgorithms, or PubkeyAcceptedKeyTypes in sshd_config; these need to ensure that at least one of "rsa-sha2-256" and "rsa-sha2-512" is listed there as well. * Developers of other SSH implementations; these may need to add support for the "rsa-sha2-256" and "rsa-sha2-512" signature algorithms. Users of straightforward RSA public keys authenticating to reasonably modern and well-configured servers are not affected, and do not need to generate new keys, change their configuration, or migrate to different key types. HTH, -- Colin Watson [cjwatson@xxxxxxxxxx] _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
