Allow SHA1 deprecation for rsa-sha

Nuno Gonçalves nunojpg at gmail.com
Wed Apr 5 00:18:30 AEST 2017


Hi,

Following the fix [1] being released on 7.5, now SHA2 RSA signature
methods work properly.

On the other hand it is still not possible to disable SHA1 RSA alone
(as an example, as SHA2-256 or SHA2-512 could also potentially be not
desirable), where it is considered insecure or undesirable.

I am proposing to add a mechanism, and happy to submit a patch, to
enable selection of the Hashes allowed for RSA. If all or any of SHA1,
SHA2-256, and SHA2-512.

The straighforward solution would be just to adapt all options that
currently accept "ssh-rsa" to mean that they accept
(SHA1,SHA2-256,SHA2-512), and to use rsa-sha2-256 and rsa-sha2-512 to
mean just the specific hash formats.

So ssh-rsa would mean the same as now, and in the future deprecation
for sha1 could be enforced by replacing the config with
"rsa-sha2-256,rsa-sha2-512".

Unfortunately this doesn't cover the possibility the user wants to
disable instead sha2 and only allow sha1.

For that case I propose to extend keytypes at sshkey.c, with an
additional "rsa-sha1" algorithm.

This means that ssh-rsa would be the "legacy" configuration, with the
same meaning as "rsa-sha1, rsa-sha2-256, rsa-sha2-512".

I would appreciate comments if this is seen fit.

Also, since I am lacking on understanding the ssh protocol, I question
if this sha2 extensions also apply "ssh-rsa-cert-v01 at openssh.com".

Thanks,
Nuno

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2680


More information about the openssh-unix-dev mailing list