[openssh-commits] [openssh] 02/02: upstream: After years of forewarning, disable the RSA/SHA-1

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 2344750250247111a6c3c6a4fe84ed583a61cc11
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun Aug 29 23:53:10 2021 +0000

    upstream: After years of forewarning, disable the RSA/SHA-1
    
    signature algorithm by default. It is feasible to create colliding SHA1
    hashes, so we need to deprecate its use.
    
    RSA/SHA-256/512 remains available and will be transparently selected
    instead of RSA/SHA1 for most SSH servers released in the last five+
    years. There is no need to regenerate RSA keys.
    
    The use of RSA/SHA1 can be re-enabled by adding "ssh-rsa" to the
    PubkeyAcceptedAlgorithms directives on the client and server.
    
    ok dtucker deraadt
    
    OpenBSD-Commit-ID: 189bcc4789c7254e09e23734bdd5def8354ff1d5
---
 myproposal.h | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/myproposal.h b/myproposal.h
index f03b7dfd..6d79937b 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.68 2020/10/03 04:15:06 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.69 2021/08/29 23:53:10 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -46,7 +46,6 @@
 	"sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com," \
 	"rsa-sha2-512-cert-v01 at openssh.com," \
 	"rsa-sha2-256-cert-v01 at openssh.com," \
-	"ssh-rsa-cert-v01 at openssh.com," \
 	"ssh-ed25519," \
 	"ecdsa-sha2-nistp256," \
 	"ecdsa-sha2-nistp384," \
@@ -54,8 +53,7 @@
 	"sk-ssh-ed25519 at openssh.com," \
 	"sk-ecdsa-sha2-nistp256 at openssh.com," \
 	"rsa-sha2-512," \
-	"rsa-sha2-256," \
-	"ssh-rsa"
+	"rsa-sha2-256"
 
 #define	KEX_SERVER_ENCRYPT \
 	"chacha20-poly1305 at openssh.com," \

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.