[Bug 3779] SHA1 deprecation

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jan 21 09:30:32 AEDT 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3779

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---


(In reply to Shaheena Kazi from comment #0)
> Created attachment 3853 [details]
> ssh_vvv
> 
> Package - OPENSSH
> 
> I am using Debian 10 with the openssh version as OpenSSH_8.4p1
> Debian-2~bpo10+1. I have taken the package provided by Debian.
> 
> I have a question - Is SHA1 still being supported on the openssh
> connections. I have done a ssh -vv user@<IP ADDRESS> which shows
> some traces for ssh-rsa.
> 
> So, I just wanted to understand if SHA1 is still being supported.
[...]
> OpenSSH_7.5p1, OpenSSL 1.0.2o  27 Mar 2018

This is neither of the versions you describe elsewhere in your text.

That version was released about 8 years old.  8.4p1 was 4 years ago and
9.2p1 was two years ago.  In each case the behaviour can be modified by
the vendor, the system-wide client and server configs and the per-user
client config so there are too many variables to figure out what's
going on here.

> if I run ssh -o HostKeyAlgorithms=+ssh-rsa <hostname>

That appends ssh-rsa to the list of algorithms, so if there are any
other acceptable algorithms on the list those will get used first.  If
your intent is to check if the server accepts ssh-rsa, you need
"HostKeyAlgorithms=ssh-rsa"

There's at least 4 places that SHA1 might be used: key-exchange
algorithms, host keys, user keys and message authentication codes. 

You can use the dump-config mode with an empty config to figure out
what the defaults for your binaries are, then again without the -F/-f
to view the effective settings.  For ssh(1):
$ ssh -G -F /dev/null localhost | \
 grep -E
'kexalgorithms|pubkeyacceptedalgorithms|hostkeyalgorithms|macs'

and sshd(8):
$ sudo /usr/sbin/sshd -T -f /dev/null | \
 grep -E
'kexalgorithms|pubkeyacceptedalgorithms|hostkeyalgorithms|macs'

https://www.openssh.com/releasenotes.html shows the changes in the
release versions, including the status of ssh-rsa deprecation.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list