[Savannah-cvs] [463] Update OpenSSH SHA1 deprecation information and recipe

[bob]

Revision: 463
          
http://svn.savannah.gnu.org/viewvc/?view=rev&root=administration&revision=463
Author:   rwp
Date:     2022-03-23 17:41:28 -0400 (Wed, 23 Mar 2022)
Log Message:
-----------
Update OpenSSH SHA1 deprecation information and recipe

Modified Paths:
--------------
    trunk/sviki/SshAccess.mdwn

Modified: trunk/sviki/SshAccess.mdwn
===================================================================
--- trunk/sviki/SshAccess.mdwn  2022-03-23 21:41:23 UTC (rev 462)
+++ trunk/sviki/SshAccess.mdwn  2022-03-23 21:41:28 UTC (rev 463)
@@ -6,35 +6,26 @@
 
 OpenSSH 8.8 was released on September 26, 2021 and subsequently has
 been upgraded to by users of Savannah that are also following the
-bleeding edge of development of OpenSSH.  Most users of Stable OS
-software distributions will not yet have that new version and will not
-yet be affected.  In release 8.8 OpenSSH deprecated all use of the
-SHA-1 hash algorithm.  This affects users who are connecting to the
-vcs0 node hosting git, svn, hg repositories using ssh-rsa keys.  (The
-cvs repositories are not affected.)  The root cause being that the
-OpenSSH server on vcs0 is older and still primarily using the SHA-1
-hash algorithm by default for host keys.  Upgrading the services is a
-high priority but there are various entanglements which makes doing
-this immediately and quickly rather hard.  It will take some time.
-Please be patient.
+development of OpenSSH.  Most users of Stable OS software
+distributions will not yet have that new version and will not yet be
+affected.
 
-There two solutions that have been reported to work.  (I have been
-unable to test this myself as my newest OpenSSH is version 8.4, before
-the SHA-1 deprecation.  But these are the success reports.)
+In release 8.8 OpenSSH deprecated all use of the SHA-1 hash algorithm.
+The effects of this can vary depending upon the user's client side ssh
+options configured.  It deprecates the `ssh-rsa` SHA1 signed host
+keys.  If that is the only type of host key that you have cached into
+your `known_hosts` file then it will no longer be recognized and a
+`WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!` will be emitted.
 
-1. The first workaround comes from the OpenSSH 8.8 release notes. Provide a 
special client configuration on your system to enable ssh-rsa keys on your 
client for git for Savannah.  The following stanza in your `~/.ssh/config` file 
will enable RSA/SHA1 for host and user authentication for a single destination 
host.  The names (`git.savannah.gnu.org` and the others) listed must match the 
name you are using to connect exactly.  When matching this name then ssh will 
apply the options specified.
+There two working solutions.
 
-        Host git.savannah.gnu.org git.sv.gnu.org git.savannah.nongnu.org 
git.sv.nongnu.org
-            HostkeyAlgorithms +ssh-rsa
-            PubkeyAcceptedAlgorithms +ssh-rsa
+1. The first and best workaround is to upgrade your ssh user key
+   access to ED25519 keys.  ED25519 keys were introduced in OpenSSH
+   6.5 and offers better security with faster performance using a more
+   compact key.  Using the ED25519 user key also enables using the
+   ED25519 host key at the same time.  Which is perfect!  That's an
+   excellent upgrade for both security and performance.
 
-2. The second workaround is to upgrade your ssh user key access to
-   ED25519 keys.  ED25519 keys were introduced in OpenSSH 6.5 and offers
-   better security with faster performance using a more compact key.  It
-   seems using the ED25519 user key also enables using the ED25519 host
-   key at the same time.  Which is perfect!  That's an excellent upgrade
-   for both security and performance.
-
         ssh-keygen -t ed25519
 
    This creates a user key of type ed25519 and will place the files by
@@ -47,6 +38,19 @@
    Change Authorized Keys" page
    <https://savannah.gnu.org/my/admin/editsshkeys.php>.
 
+2. The second workaround comes from the OpenSSH 8.8 release notes.
+   Provide a special client configuration on your system to enable
+   ssh-rsa keys on your client for ssh for Savannah *once*.  Use the
+   exact hostname of the service you are using.  The example here uses
+   the git server but for svn it would be `svn.savannah.gnu.org` for
+   example.
+
+        ssh -o'HostkeyAlgorithms=+ssh-rsa' 
-o'PubkeyAcceptedAlgorithms=+ssh-rsa' git.savannah.gnu.org
+
+   Having connected once ssh will update to any newer host keys that
+   are available from the server.  This needs to be done only once and
+   then the above workaround can be removed.
+
 For reference here are the release notes for OpenSSH 8.8.  And
 additionally a bug ticket where we have been tracking information
 about this problem.