[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-cvs] [463] Update OpenSSH SHA1 deprecation information and rec
From: |
bob |
Subject: |
[Savannah-cvs] [463] Update OpenSSH SHA1 deprecation information and recipe |
Date: |
Wed, 23 Mar 2022 17:41:29 -0400 (EDT) |
Revision: 463
http://svn.savannah.gnu.org/viewvc/?view=rev&root=administration&revision=463
Author: rwp
Date: 2022-03-23 17:41:28 -0400 (Wed, 23 Mar 2022)
Log Message:
-----------
Update OpenSSH SHA1 deprecation information and recipe
Modified Paths:
--------------
trunk/sviki/SshAccess.mdwn
Modified: trunk/sviki/SshAccess.mdwn
===================================================================
--- trunk/sviki/SshAccess.mdwn 2022-03-23 21:41:23 UTC (rev 462)
+++ trunk/sviki/SshAccess.mdwn 2022-03-23 21:41:28 UTC (rev 463)
@@ -6,35 +6,26 @@
OpenSSH 8.8 was released on September 26, 2021 and subsequently has
been upgraded to by users of Savannah that are also following the
-bleeding edge of development of OpenSSH. Most users of Stable OS
-software distributions will not yet have that new version and will not
-yet be affected. In release 8.8 OpenSSH deprecated all use of the
-SHA-1 hash algorithm. This affects users who are connecting to the
-vcs0 node hosting git, svn, hg repositories using ssh-rsa keys. (The
-cvs repositories are not affected.) The root cause being that the
-OpenSSH server on vcs0 is older and still primarily using the SHA-1
-hash algorithm by default for host keys. Upgrading the services is a
-high priority but there are various entanglements which makes doing
-this immediately and quickly rather hard. It will take some time.
-Please be patient.
+development of OpenSSH. Most users of Stable OS software
+distributions will not yet have that new version and will not yet be
+affected.
-There two solutions that have been reported to work. (I have been
-unable to test this myself as my newest OpenSSH is version 8.4, before
-the SHA-1 deprecation. But these are the success reports.)
+In release 8.8 OpenSSH deprecated all use of the SHA-1 hash algorithm.
+The effects of this can vary depending upon the user's client side ssh
+options configured. It deprecates the `ssh-rsa` SHA1 signed host
+keys. If that is the only type of host key that you have cached into
+your `known_hosts` file then it will no longer be recognized and a
+`WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!` will be emitted.
-1. The first workaround comes from the OpenSSH 8.8 release notes. Provide a
special client configuration on your system to enable ssh-rsa keys on your
client for git for Savannah. The following stanza in your `~/.ssh/config` file
will enable RSA/SHA1 for host and user authentication for a single destination
host. The names (`git.savannah.gnu.org` and the others) listed must match the
name you are using to connect exactly. When matching this name then ssh will
apply the options specified.
+There two working solutions.
- Host git.savannah.gnu.org git.sv.gnu.org git.savannah.nongnu.org
git.sv.nongnu.org
- HostkeyAlgorithms +ssh-rsa
- PubkeyAcceptedAlgorithms +ssh-rsa
+1. The first and best workaround is to upgrade your ssh user key
+ access to ED25519 keys. ED25519 keys were introduced in OpenSSH
+ 6.5 and offers better security with faster performance using a more
+ compact key. Using the ED25519 user key also enables using the
+ ED25519 host key at the same time. Which is perfect! That's an
+ excellent upgrade for both security and performance.
-2. The second workaround is to upgrade your ssh user key access to
- ED25519 keys. ED25519 keys were introduced in OpenSSH 6.5 and offers
- better security with faster performance using a more compact key. It
- seems using the ED25519 user key also enables using the ED25519 host
- key at the same time. Which is perfect! That's an excellent upgrade
- for both security and performance.
-
ssh-keygen -t ed25519
This creates a user key of type ed25519 and will place the files by
@@ -47,6 +38,19 @@
Change Authorized Keys" page
<https://savannah.gnu.org/my/admin/editsshkeys.php>.
+2. The second workaround comes from the OpenSSH 8.8 release notes.
+ Provide a special client configuration on your system to enable
+ ssh-rsa keys on your client for ssh for Savannah *once*. Use the
+ exact hostname of the service you are using. The example here uses
+ the git server but for svn it would be `svn.savannah.gnu.org` for
+ example.
+
+ ssh -o'HostkeyAlgorithms=+ssh-rsa'
-o'PubkeyAcceptedAlgorithms=+ssh-rsa' git.savannah.gnu.org
+
+ Having connected once ssh will update to any newer host keys that
+ are available from the server. This needs to be done only once and
+ then the above workaround can be removed.
+
For reference here are the release notes for OpenSSH 8.8. And
additionally a bug ticket where we have been tracking information
about this problem.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-cvs] [463] Update OpenSSH SHA1 deprecation information and recipe,
bob <=