[Bug 3253] ssh-keygen man page still lists deprecated key types for -t

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jan 19 10:16:54 AEDT 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3253

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Markus Kuhn from comment #0)
> The man page ssh-keygen.1 still lists for option "-t" only the
> possible values
> 
>   dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
> 
> However the first of these ("dsa" generating an "ssh-dss" key) is
> already disabled,

It's not disabled in ssh-keygen:

$ ssh-keygen -t dsa -f key -N ''
Generating public/private dsa key pair.
Your identification has been saved in key
Your public key has been saved in key.pub

> the last of these (rsa) seems scheduled to be
> disabled,

RSA keys are not scheduled to be deprecated.  One authentication
algorithm that uses RSA keys with a weak hash (ie ssh-rsa, which uses
sha1) is.  Existing and new RSA keys can still be used with the
stronger sha2 variants as long as both client and server support them.

> and many newer key types are missing.
> 
> In comparison, the default list of acceptable keytypes for publickey
> authentication is given in sshd_config.5 under option
> PubkeyAcceptedKeyTypes as

Unfortunately that keyword is pretty misleading.  It specifies
*algorithms* not *key types*.  (In its defense, the lists were
equivalent when the keyword was added, they diverged later).  We should
consider changing its name.

> Please update the list of available values after -t in ssh-keygen.1.

I think the list in ssh-keygen is accurate as it stands now.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list