Alex, Because you ask about UpdateHostKeys I think there might be a common misunderstanding behind your post. Apologies if I assumed wrongly! RSA keys are not going away, and will continue to be supported. 'ssh-rsa' is the prefix used for the public keys as stored on disk, but that on-disk key format is not what's being deprecated. While this isn't obvious to those who aren't well-versed in SSH wire protocol internals, in the context of the deprecation, 'ssh-rsa' refers only to the ephemeral, over-the-wire signature algorithm used to validate the client's possession of the key. As long as both the client and server support the newer signature algorithms like 'rsa-sha2-256' or 'rsa-sha2-512', your RSA keys will continue to work. (Also, the 'ssh-rsa' prefix is still used for the key, even though the signature algorithm is now named differently.) The necessary signature algorithm support was added in OpenSSH 7.2. I hope this helps, -- Chris Danis (he/him) Staff Site Reliability Engineer Wikimedia Foundation _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
