[Savannah-cvs] [451] Add OpenSSH 8.8 SHA-1 Deprecation Information

[bob]

Revision: 451
          
http://svn.savannah.gnu.org/viewvc/?view=rev&root=administration&revision=451
Author:   rwp
Date:     2021-10-10 16:34:10 -0400 (Sun, 10 Oct 2021)
Log Message:
-----------
Add OpenSSH 8.8 SHA-1 Deprecation Information

OpenSSH 8.8 deprecated all SHA-1 use by default.  Document how this
affects Savannah users and how to manage the issue.

Modified Paths:
--------------
    trunk/sviki/SshAccess.mdwn

Modified: trunk/sviki/SshAccess.mdwn
===================================================================
--- trunk/sviki/SshAccess.mdwn  2021-10-10 20:34:04 UTC (rev 450)
+++ trunk/sviki/SshAccess.mdwn  2021-10-10 20:34:10 UTC (rev 451)
@@ -1,6 +1,62 @@
 ssh and savannah
 ================
 
+OpenSSH 8.8 SHA-1 Deprecation October 2021
+------------------------------------------
+
+OpenSSH 8.8 was released on September 26, 2021 and subsequently has
+been upgraded to by users of Savannah that are also following the
+bleeding edge of development of OpenSSH.  Most users of Stable OS
+software distributions will not yet have that new version and will not
+yet be affected.  In release 8.8 OpenSSH deprecated all use of the
+SHA-1 hash algorithm.  This affects users who are connecting to the
+vcs0 node hosting git, svn, hg repositories using ssh-rsa keys.  (The
+cvs repositories are not affected.)  The root cause being that the
+OpenSSH server on vcs0 is older and still primarily using the SHA-1
+hash algorithm by default for host keys.  Upgrading the services is a
+high priority but there are various entanglements which makes doing
+this immediately and quickly rather hard.  It will take some time.
+Please be patient.
+
+There two solutions that have been reported to work.  (I have been
+unable to test this myself as my newest OpenSSH is version 8.4, before
+the SHA-1 deprecation.  But these are the success reports.)
+
+1. The first workaround comes from the OpenSSH 8.8 release notes. Provide a 
special client configuration on your system to enable ssh-rsa keys on your 
client for git for Savannah.  The following stanza in your `~/.ssh/config` file 
will enable RSA/SHA1 for host and user authentication for a single destination 
host.  The names (`git.savannah.gnu.org` and the others) listed must match the 
name you are using to connect exactly.  When matching this name then ssh will 
apply the options specified.
+
+        Host git.savannah.gnu.org git.sv.gnu.org git.savannah.nongnu.org 
git.sv.nongnu.org
+            HostkeyAlgorithms +ssh-rsa
+            PubkeyAcceptedAlgorithms +ssh-rsa
+
+2. The second workaround is to upgrade your ssh user key access to
+   ED25519 keys.  ED25519 keys were introduced in OpenSSH 6.5 and offers
+   better security with faster performance using a more compact key.  It
+   seems using the ED25519 user key also enables using the ED25519 host
+   key at the same time.  Which is perfect!  That's an excellent upgrade
+   for both security and performance.
+
+        ssh-keygen -t ed25519
+
+   This creates a user key of type ed25519 and will place the files by
+   default in `~/.ssh/id_ed25519.pub` et al.  Load this key into your
+   `ssh-agent`.
+
+        ssh-add
+
+   Register this new public key in your "My Account Configuration:
+   Change Authorized Keys" page
+   <https://savannah.gnu.org/my/admin/editsshkeys.php>.
+
+For reference here are the release notes for OpenSSH 8.8.  And
+additionally a bug ticket where we have been tracking information
+about this problem.
+
+* <https://www.openssh.com/txt/release-8.8>
+* <https://savannah.nongnu.org/support/?110545>
+
+The above is up top in this document because it is a current problem.
+Below here continues with the previous more general documentation.
+
 Short version
 -------------
 Set up your ssh key by typing in a terminal window on your local machine:
@@ -89,7 +145,8 @@
 
 Q: RSA or DSA?
 --------------
-We recommend using only RSA keys, not DSA.
+We recommend against using DSA keys.  We recommend using ED25519
+keys.
 
 Full details are at [Jim's
 page](http://meyering.net/nuke-your-DSA-keys/). In short, on a system