Allow SHA1 deprecation for rsa-sha

Jakub Jelen jjelen at
Wed Apr 5 18:21:10 AEST 2017

On 04/04/2017 04:18 PM, Nuno Gonçalves wrote:
> Hi,
> Following the fix [1] being released on 7.5, now SHA2 RSA signature
> methods work properly.
> On the other hand it is still not possible to disable SHA1 RSA alone
> (as an example, as SHA2-256 or SHA2-512 could also potentially be not
> desirable), where it is considered insecure or undesirable.
> I am proposing to add a mechanism, and happy to submit a patch, to
> enable selection of the Hashes allowed for RSA. If all or any of SHA1,
> SHA2-256, and SHA2-512.
> The straighforward solution would be just to adapt all options that
> currently accept "ssh-rsa" to mean that they accept
> (SHA1,SHA2-256,SHA2-512), and to use rsa-sha2-256 and rsa-sha2-512 to
> mean just the specific hash formats.
> So ssh-rsa would mean the same as now, and in the future deprecation
> for sha1 could be enforced by replacing the config with
> "rsa-sha2-256,rsa-sha2-512".
> Unfortunately this doesn't cover the possibility the user wants to
> disable instead sha2 and only allow sha1.
> For that case I propose to extend keytypes at sshkey.c, with an
> additional "rsa-sha1" algorithm.
> This means that ssh-rsa would be the "legacy" configuration, with the
> same meaning as "rsa-sha1, rsa-sha2-256, rsa-sha2-512".
> I would appreciate comments if this is seen fit.
> Also, since I am lacking on understanding the ssh protocol, I question
> if this sha2 extensions also apply "ssh-rsa-cert-v01 at".
> Thanks,
> Nuno
> [1]


Disabling SHA-1 for signatures sounds like a good idea these days (and 
was the main reason why the extension created if I read it right [1]).
This leaves me confused if the use case without SHA1 was missed from the 
draft or it was left as an implementation detail, that was not 
implemented in OpenSSH.

Your proposal sounds reasonable, though not sure if this should all go 
into this single configuration option, or we should use different 
talking about the hash algorithms such as PubkeySignatureHash, since the 
existing list of algorithms (PubkeyAcceptedKeyTypes) is long enough already.

To my understanding, this update should not be needed for the 
certificates, since they are just an addition to public keys and do not 
change how the private key operations are performed (and secured).


Jakub Jelen
Software Engineer
Security Technologies
Red Hat

More information about the openssh-unix-dev mailing list