OpenSSH support for FIDO RSA keys

Simon Josefsson simon at josefsson.org
Tue Aug 31 00:22:38 AEST 2021


Stuart Henderson <stu at spacehopper.org> writes:

> On 2021/08/30 11:43, David Newall wrote:
>> On 28/8/21 2:57 am, Peter Stuge wrote:
>> > Damien Miller wrote:
>> > > I'm expecting a big fight when I eventually push to remove ssh-dss,
>> > FWIW I think that's long overdue, and understand your worry.
>> 
>> I, too, understand your worry, but I also understand why there will be a lot
>> of pushback against removing it.
>> 
>> A lot of equipment, perfectly good equipment, expensive equipment, but old
>> equipment requires it.  Most of it is behind a security appliance so there's
>> no real risk is negligible if indeed it's not actually zero.
>> 
>> Removing DSS removes management access to the equipment and the only reason
>> is a pedantic complaint that DSS is trivially broken.
>> 
>> Please don't break equipment over well-meaning pedantry.
>
> Oh not this one again. OpenSSH already removed support for things used
> by some devices. It is annoying but the world didn't end - if you need
> to use some separate legacyssh binary (sometimes spelt 'p l i n k') to
> connect it acts as a good reminder that you're not really using a secure
> protocol for that connection.

I agree -- I believe it is important that users of OpenSSH end up with
secure channels, since that is the expectation that OpenSSH gives.

Support for insecure algorithms and features can be moved to a
side-project called (say) 'InscuriSSH' and a tool 'ish', if there is
enough interest to maintain it, similar in spirit to the OpenSSH
Portability version.

Count me as +1 on removing ssh-dss now.

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210830/294c1b01/attachment.asc>


More information about the openssh-unix-dev mailing list