OpenSSH support for FIDO RSA keys
Stuart Henderson
stu at spacehopper.org
Mon Aug 30 21:40:06 AEST 2021
On 2021/08/30 11:43, David Newall wrote:
> On 28/8/21 2:57 am, Peter Stuge wrote:
> > Damien Miller wrote:
> > > I'm expecting a big fight when I eventually push to remove ssh-dss,
> > FWIW I think that's long overdue, and understand your worry.
>
> I, too, understand your worry, but I also understand why there will be a lot
> of pushback against removing it.
>
> A lot of equipment, perfectly good equipment, expensive equipment, but old
> equipment requires it. Most of it is behind a security appliance so there's
> no real risk is negligible if indeed it's not actually zero.
>
> Removing DSS removes management access to the equipment and the only reason
> is a pedantic complaint that DSS is trivially broken.
>
> Please don't break equipment over well-meaning pedantry.
Oh not this one again. OpenSSH already removed support for things used
by some devices. It is annoying but the world didn't end - if you need
to use some separate legacyssh binary (sometimes spelt 'p l i n k') to
connect it acts as a good reminder that you're not really using a secure
protocol for that connection.
More information about the openssh-unix-dev
mailing list