[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-cvs] [451] Add OpenSSH 8.8 SHA-1 Deprecation Information

From: bob
Subject: [Savannah-cvs] [451] Add OpenSSH 8.8 SHA-1 Deprecation Information
Date: Sun, 10 Oct 2021 16:34:11 -0400 (EDT)

Revision: 451
Author:   rwp
Date:     2021-10-10 16:34:10 -0400 (Sun, 10 Oct 2021)
Log Message:
Add OpenSSH 8.8 SHA-1 Deprecation Information

OpenSSH 8.8 deprecated all SHA-1 use by default.  Document how this
affects Savannah users and how to manage the issue.

Modified Paths:

Modified: trunk/sviki/SshAccess.mdwn
--- trunk/sviki/SshAccess.mdwn  2021-10-10 20:34:04 UTC (rev 450)
+++ trunk/sviki/SshAccess.mdwn  2021-10-10 20:34:10 UTC (rev 451)
@@ -1,6 +1,62 @@
 ssh and savannah
+OpenSSH 8.8 SHA-1 Deprecation October 2021
+OpenSSH 8.8 was released on September 26, 2021 and subsequently has
+been upgraded to by users of Savannah that are also following the
+bleeding edge of development of OpenSSH.  Most users of Stable OS
+software distributions will not yet have that new version and will not
+yet be affected.  In release 8.8 OpenSSH deprecated all use of the
+SHA-1 hash algorithm.  This affects users who are connecting to the
+vcs0 node hosting git, svn, hg repositories using ssh-rsa keys.  (The
+cvs repositories are not affected.)  The root cause being that the
+OpenSSH server on vcs0 is older and still primarily using the SHA-1
+hash algorithm by default for host keys.  Upgrading the services is a
+high priority but there are various entanglements which makes doing
+this immediately and quickly rather hard.  It will take some time.
+Please be patient.
+There two solutions that have been reported to work.  (I have been
+unable to test this myself as my newest OpenSSH is version 8.4, before
+the SHA-1 deprecation.  But these are the success reports.)
+1. The first workaround comes from the OpenSSH 8.8 release notes. Provide a 
special client configuration on your system to enable ssh-rsa keys on your 
client for git for Savannah.  The following stanza in your `~/.ssh/config` file 
will enable RSA/SHA1 for host and user authentication for a single destination 
host.  The names (`` and the others) listed must match the 
name you are using to connect exactly.  When matching this name then ssh will 
apply the options specified.
+        Host
+            HostkeyAlgorithms +ssh-rsa
+            PubkeyAcceptedAlgorithms +ssh-rsa
+2. The second workaround is to upgrade your ssh user key access to
+   ED25519 keys.  ED25519 keys were introduced in OpenSSH 6.5 and offers
+   better security with faster performance using a more compact key.  It
+   seems using the ED25519 user key also enables using the ED25519 host
+   key at the same time.  Which is perfect!  That's an excellent upgrade
+   for both security and performance.
+        ssh-keygen -t ed25519
+   This creates a user key of type ed25519 and will place the files by
+   default in `~/.ssh/` et al.  Load this key into your
+   `ssh-agent`.
+        ssh-add
+   Register this new public key in your "My Account Configuration:
+   Change Authorized Keys" page
+   <>.
+For reference here are the release notes for OpenSSH 8.8.  And
+additionally a bug ticket where we have been tracking information
+about this problem.
+* <>
+* <>
+The above is up top in this document because it is a current problem.
+Below here continues with the previous more general documentation.
 Short version
 Set up your ssh key by typing in a terminal window on your local machine:
@@ -89,7 +145,8 @@
 Q: RSA or DSA?
-We recommend using only RSA keys, not DSA.
+We recommend against using DSA keys.  We recommend using ED25519
 Full details are at [Jim's
 page]( In short, on a system

reply via email to

[Prev in Thread] Current Thread [Next in Thread]