[Bug 3253] ssh-keygen man page still lists deprecated key types for -t
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Jan 19 10:16:54 AEDT 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3253
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Markus Kuhn from comment #0)
> The man page ssh-keygen.1 still lists for option "-t" only the
> possible values
>
> dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
>
> However the first of these ("dsa" generating an "ssh-dss" key) is
> already disabled,
It's not disabled in ssh-keygen:
$ ssh-keygen -t dsa -f key -N ''
Generating public/private dsa key pair.
Your identification has been saved in key
Your public key has been saved in key.pub
> the last of these (rsa) seems scheduled to be
> disabled,
RSA keys are not scheduled to be deprecated. One authentication
algorithm that uses RSA keys with a weak hash (ie ssh-rsa, which uses
sha1) is. Existing and new RSA keys can still be used with the
stronger sha2 variants as long as both client and server support them.
> and many newer key types are missing.
>
> In comparison, the default list of acceptable keytypes for publickey
> authentication is given in sshd_config.5 under option
> PubkeyAcceptedKeyTypes as
Unfortunately that keyword is pretty misleading. It specifies
*algorithms* not *key types*. (In its defense, the lists were
equivalent when the keyword was added, they diverged later). We should
consider changing its name.
> Please update the list of available values after -t in ssh-keygen.1.
I think the list in ssh-keygen is accurate as it stands now.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list