Re: Future deprecation of ssh-rsa

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I've expressed several concerns with enabling UpdateHostKeys by default,
none of which were even commented on, so this topic seems to not be in
any way open for discussion, but I'll still add one more thing here.

Peter Stuge wrote:
> Subject: Re: UpdateHostkeys now enabled by default
> Date: Mon, 5 Oct 2020 11:22:29 +0000
..
> I do not disagree with progressive key management, we clearly need to
> roll keys now and then, and I'm also not against some automation, but
> I don't think that it should be fully automated.
..
> Host keys are quite stable and I think that's a good thing.


Damien Miller wrote:
> No, we haven't set a target date yet. It really depends on how well
> turning on UpdateHostKeys goes, how quickly a release with UpdateHostKeys
> ends up on common OS distributions and a couple of other things.

Beyond strongly disagreeing with clients silently accepting and persisting
unsolicited configuration changes from servers by default, I would like to
see differentiation between a couple of different UpdateHostKeys cases:

* from ssh-rsa to rsa-sha2-* without the host key changing
* from ssh-rsa to either ssh-rsa or rsa-sha2-* with a *new host key*, and
* from ssh-rsa to say ssh-ed25519 with a *new public host key algorithm*

I don't think that these three cases can reasonably be considered
to ever have the same, or even comparable, security properties. Do you?


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux