Call for testing: OpenSSH 8.2
Damien Miller
djm at mindrot.org
Thu Feb 6 16:25:50 AEDT 2020
On Wed, 5 Feb 2020, Phil Pennock wrote:
> On 2020-02-06 at 14:41 +1100, Damien Miller wrote:
> > No, sorry - the rules evaluation is enough of a mess without adding
> > more corner cases where first-match-doesn't-always-win...
>
> Fair. Thanks for the feedback. :)
>
> > I don't think that is correct. Host legacy won't have ssh-dss enabled
> > because that isn't in the default set of algs to begin with.
>
> Ugh. Okay, bad example, sorry. I should have stuck to what I'm
> actually using. For $reasons, I'm disabling all RSA by default,
> sticking to ECC for pubkey usage in SSH. I re-enable it where needed
> for some hosts. Legacy was my euphemism for "no ECC".
>
> Host legacy
> HostKeyAlgorithms +rsa-sha2-256,rsa-sha2-512
> Host *
> HostKeyAlgorithms -ssh-rsa*,ssh-dss*,rsa-sha*
>
> This will re-enable ssh-rsa for host legacy.
I'll quibble by saying ssh-rsa was never disabled for host legacy to
begin with, but yeah - the result is the same: we only support a single
+/- modification.
> FWIW, while github.com has updated to allow rsa-sha2-* algorithms,
> very public hosts which will currently cause people pain because they
> only allow ssh-rsa include:
>
> * bazaar.launchpad.net
> * bitbucket.org (also ssh-dss)
> * AWS codecommit hosts (at least, the one I touch)
That's why we're warning people now :) Hopefully these will fix their
sh^wstuff before we actually turn off ssh-rsa.
-d
More information about the openssh-unix-dev
mailing list