Question about ssh-rsa deprecation notice (was: Announce: OpenSSH 8.2 released)

Colin Watson cjwatson at debian.org
Sun Feb 23 22:28:08 AEDT 2020 

On Sat, Feb 22, 2020 at 05:06:29PM -0700, Bob Proulx wrote:
> Damien Miller wrote:
> > Future deprecation notice
> > =========================
> > 
> > It is now possible[1] to perform chosen-prefix attacks against the
> > SHA-1 algorithm for less than USD$50K. For this reason, we will be
> > disabling the "ssh-rsa" public key signature algorithm by default in a
> > near-future release.
> 
> Clear enough.  "ssh-rsa" is being deprecated.  If we see "ssh-rsa"
> in our authorized_keys file we should migrate away from it.  Gotcha.
> I assume this is for both user keys and for host keys so the same
> would apply to the known_hosts file too.
> 
>   grep ssh-rsa ~/.ssh/authorized_keys && echo Deprecation Waring: Time to upgrade!

No, the deprecation notice is talking about the key signature algorithm,
not the key type.  SSH clients and servers agree a key signature
algorithm as part of their protocol negotiation.  For RSA keys, all of
"ssh-rsa", "rsa-sha2-256", and "rsa-sha2-512" exist, using SHA-1,
SHA-256, and SHA-512 respectively as their hash algorithms.

Unfortunately, the string "ssh-rsa" is used as both a key type name in
authorized_keys and as a key signature algorithm name, which has caused
a good deal of confusion with this deprecation notice, but the two
aren't actually the same thing.

My understanding is (and more knowledgeable people should correct me if
I'm wrong) that this deprecation notice affects the following people:

 * Users of OpenSSH certificates (see the CERTIFICATES section in
   ssh-keygen(1)); these may need to arrange for certificates to be
   re-signed using a stronger signature algorithm.

 * Users who have explicitly specified "ssh-rsa" in
   CASignatureAlgorithms, HostbasedKeyTypes, HostbasedAcceptedKeyTypes,
   HostKeyAlgorithms, or PubkeyAcceptedKeyTypes in their client
   configuration files (~/.ssh/config or ssh_config); these need to
   ensure that at least one of "rsa-sha2-256" and "rsa-sha2-512" is
   listed there as well.

 * Users connecting to old or poorly-configured servers that offer RSA
   host keys; in a future OpenSSH release, these may find that they need
   to configure "HostKeyAlgorithms +ssh-rsa" for those hosts in order to
   connect.

 * Users of straightforward RSA public keys authenticating to old or
   poorly-configured servers; in a future OpenSSH release, these may
   find that they need to configure "PubkeyAcceptedKeyTypes +ssh-rsa"
   for those hosts in order to authenticate.

 * Operators of older server software; these may need to upgrade to
   support the "rsa-sha2-256" or "rsa-sha2-512" signature algorithms.

 * Operators of OpenSSH servers who have explicitly specified "ssh-rsa"
   in CASignatureAlgorithms, HostbasedAcceptedKeyTypes,
   HostKeyAlgorithms, or PubkeyAcceptedKeyTypes in sshd_config; these
   need to ensure that at least one of "rsa-sha2-256" and "rsa-sha2-512"
   is listed there as well.

 * Developers of other SSH implementations; these may need to add
   support for the "rsa-sha2-256" and "rsa-sha2-512" signature
   algorithms.

Users of straightforward RSA public keys authenticating to reasonably
modern and well-configured servers are not affected, and do not need to
generate new keys, change their configuration, or migrate to different
key types.

HTH,

-- 
Colin Watson                                       [cjwatson at debian.org]

More information about the openssh-unix-dev mailing list