[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-cvs] [451] Add OpenSSH 8.8 SHA-1 Deprecation Information
From: |
bob |
Subject: |
[Savannah-cvs] [451] Add OpenSSH 8.8 SHA-1 Deprecation Information |
Date: |
Sun, 10 Oct 2021 16:34:11 -0400 (EDT) |
Revision: 451
http://svn.savannah.gnu.org/viewvc/?view=rev&root=administration&revision=451
Author: rwp
Date: 2021-10-10 16:34:10 -0400 (Sun, 10 Oct 2021)
Log Message:
-----------
Add OpenSSH 8.8 SHA-1 Deprecation Information
OpenSSH 8.8 deprecated all SHA-1 use by default. Document how this
affects Savannah users and how to manage the issue.
Modified Paths:
--------------
trunk/sviki/SshAccess.mdwn
Modified: trunk/sviki/SshAccess.mdwn
===================================================================
--- trunk/sviki/SshAccess.mdwn 2021-10-10 20:34:04 UTC (rev 450)
+++ trunk/sviki/SshAccess.mdwn 2021-10-10 20:34:10 UTC (rev 451)
@@ -1,6 +1,62 @@
ssh and savannah
================
+OpenSSH 8.8 SHA-1 Deprecation October 2021
+------------------------------------------
+
+OpenSSH 8.8 was released on September 26, 2021 and subsequently has
+been upgraded to by users of Savannah that are also following the
+bleeding edge of development of OpenSSH. Most users of Stable OS
+software distributions will not yet have that new version and will not
+yet be affected. In release 8.8 OpenSSH deprecated all use of the
+SHA-1 hash algorithm. This affects users who are connecting to the
+vcs0 node hosting git, svn, hg repositories using ssh-rsa keys. (The
+cvs repositories are not affected.) The root cause being that the
+OpenSSH server on vcs0 is older and still primarily using the SHA-1
+hash algorithm by default for host keys. Upgrading the services is a
+high priority but there are various entanglements which makes doing
+this immediately and quickly rather hard. It will take some time.
+Please be patient.
+
+There two solutions that have been reported to work. (I have been
+unable to test this myself as my newest OpenSSH is version 8.4, before
+the SHA-1 deprecation. But these are the success reports.)
+
+1. The first workaround comes from the OpenSSH 8.8 release notes. Provide a
special client configuration on your system to enable ssh-rsa keys on your
client for git for Savannah. The following stanza in your `~/.ssh/config` file
will enable RSA/SHA1 for host and user authentication for a single destination
host. The names (`git.savannah.gnu.org` and the others) listed must match the
name you are using to connect exactly. When matching this name then ssh will
apply the options specified.
+
+ Host git.savannah.gnu.org git.sv.gnu.org git.savannah.nongnu.org
git.sv.nongnu.org
+ HostkeyAlgorithms +ssh-rsa
+ PubkeyAcceptedAlgorithms +ssh-rsa
+
+2. The second workaround is to upgrade your ssh user key access to
+ ED25519 keys. ED25519 keys were introduced in OpenSSH 6.5 and offers
+ better security with faster performance using a more compact key. It
+ seems using the ED25519 user key also enables using the ED25519 host
+ key at the same time. Which is perfect! That's an excellent upgrade
+ for both security and performance.
+
+ ssh-keygen -t ed25519
+
+ This creates a user key of type ed25519 and will place the files by
+ default in `~/.ssh/id_ed25519.pub` et al. Load this key into your
+ `ssh-agent`.
+
+ ssh-add
+
+ Register this new public key in your "My Account Configuration:
+ Change Authorized Keys" page
+ <https://savannah.gnu.org/my/admin/editsshkeys.php>.
+
+For reference here are the release notes for OpenSSH 8.8. And
+additionally a bug ticket where we have been tracking information
+about this problem.
+
+* <https://www.openssh.com/txt/release-8.8>
+* <https://savannah.nongnu.org/support/?110545>
+
+The above is up top in this document because it is a current problem.
+Below here continues with the previous more general documentation.
+
Short version
-------------
Set up your ssh key by typing in a terminal window on your local machine:
@@ -89,7 +145,8 @@
Q: RSA or DSA?
--------------
-We recommend using only RSA keys, not DSA.
+We recommend against using DSA keys. We recommend using ED25519
+keys.
Full details are at [Jim's
page](http://meyering.net/nuke-your-DSA-keys/). In short, on a system
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-cvs] [451] Add OpenSSH 8.8 SHA-1 Deprecation Information,
bob <=