Announce: timeline to remove DSA support in OpenSSH

Thu Jan 11 15:40:37 AEDT 2024

Hi,

OpenSSH plans to remove support for DSA keys in the near future. This
message describes our rationale, process and proposed timeline.

Rationale
---------

DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is <=80 bits symmetric equivalent[1][2].

OpenSSH has disabled DSA keys by default since 2015 but has retained
optional support for them. DSA is the only mandatory-to-implement
algorithm in the SSHv2 RFCs[3], mostly because alternative algorithms
were encumbered by patents when the SSHv2 protocol was designed and
specified.

Since then, the world has moved on. RSA is unencumbered and support
for it is ubiquitous. ECDSA offers significant performance and
security benefits over modp DSA, and EdDSA overs further performance
and security improvements over both again.

The only remaining use of DSA at this point should be deeply legacy
devices. As such, we no longer consider the costs of maintaining DSA
in OpenSSH to be justified. Moreover, we hope that OpenSSH's final
removal of this insecure algorithm accelerates its deprecation in
other SSH implementations and allows maintainers of cryptography
libraries to remove it too.

Process and timeline
--------------------

The next release of OpenSSH (due around 2024/03) will make DSA
optional at compile time, but still enable it by default. Users and
downstream distributors of OpenSSH may use this option to explore the
impact of DSA removal in their environments, or to hard-deprecate it
early if they desire.

Around 2024/06, a release of OpenSSH will change this compile-time
default to disable DSA. It may still be enabled by users/distributors
if needed.

Finally, in the first OpenSSH release after 2025/01/01 the DSA code
will be removed entirely.

In summary:

2024/01 - this announcement
2024/03 (estimated) - DSA compile-time optional, enabled by default
2024/06 (estimated) - DSA compile-time optional, *disabled* by default
2025/01 (estimated) - DSA is removed from OpenSSH

Questions
---------

 * What if I have devices that only support DSA?

Removing DSA from OpenSSH will not remove endpoints that require DSA
from the world and users may still need to connect to them. Although
new releases of OpenSSH will no longer support DSA, past releases and
alternate SSH implementations will continue to do so.

We recommend that users with an ongoing need to connect to DSA-only
endpoints maintain a legacy release of an OpenSSH client for this
purpose, similar to what was recommended when support for the SSHv1
protocol was removed.

For example, Debian maintains a "openssh-client-ssh1" package built
from OpenSSH 7.5 for the purpose of connecting to SSHv1 endpoints.
This package or something similar is likely to be sufficient for
DSA-only endpoints too.

 * Doesn't this make OpenSSH non-compliant with RFC4253?

Practically, no more than we've been since 2015 when we stopped
offering DSA by default.

 * Why make this change now? Why not earlier/later?

We feel like enough time has passed since DSA was disabled by default
for the overwhelming majority of users to have abandoned use of the
algorithm. We are also likely to start exploring a post-quantum
signature algorithm soon and are mindful of the overall size and
complexity of the key/signature code.

 * I want to discuss this change further

The https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
mailing list is the best place to discuss this. Alternately you can
email the OpenSSH developers at openssh at openssh.com.

Thanks,
Damien Miller, on behalf of the OpenSSH project

[1] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
[2] https://www.rfc-editor.org/rfc/rfc9142.html#section-1.1
[3] https://www.rfc-editor.org/rfc/rfc4253.html#section-6.6