[arch-dev-public] News item for openssh-7.0p1-1
Hi, I'd like to suggest the following piece of news to be posted when openssh-7.0p1-1 lands in [core]: The new openssh-7.0p1 release deprecates certain types of SSH keys that are now considered vulnerable. For details, see the [upstream announcement](http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122....). Before updating and restarting sshd on remote hosts, if you rely on SSH keys for authentication, please make sure that you have a recent key pair set up, or alternative means of logging in (such as using password authentication). -- Gaetan
Gaetan Bisson <bisson@archlinux.org> on Thu, 2015/08/13 00:03:
Hi,
I'd like to suggest the following piece of news to be posted when openssh-7.0p1-1 lands in [core]:
The new openssh-7.0p1 release deprecates certain types of SSH keys that are now considered vulnerable. For details, see the [upstream announcement](http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122....).
Before updating and restarting sshd on remote hosts, if you rely on SSH keys for authentication, please make sure that you have a recent key pair set up, or alternative means of logging in (such as using password authentication).
This does not only apply for public key authentication but for host keys as well. Do we want to add a note about that? Old algorithms can be used when explicitly enabling them, though... ;) The systemd unit sshdgenkeys.service still generates a dsa host key. Do we want to change that? -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
[2015-08-12 23:15:34 +0200] Christian Hesse:
Gaetan Bisson <bisson@archlinux.org> on Thu, 2015/08/13 00:03:
Hi,
I'd like to suggest the following piece of news to be posted when openssh-7.0p1-1 lands in [core]:
The new openssh-7.0p1 release deprecates certain types of SSH keys that are now considered vulnerable. For details, see the [upstream announcement](http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122....).
Before updating and restarting sshd on remote hosts, if you rely on SSH keys for authentication, please make sure that you have a recent key pair set up, or alternative means of logging in (such as using password authentication).
This does not only apply for public key authentication but for host keys as well. Do we want to add a note about that?
If updating your openssh client breaks connectivity to an old SSH server, that's fine, you can just roll back the openssh client, fix things, and update later. The only issue is updating servers. But host keys are not a problem because sshdgenkeys.service generates all key types. If a user deliberately chose to only trust a DSS key (by default, it would have been RSA keys) then they just have to "blindly" trust a key of another type to connect to the updated server. That does not sound like a big issue to me. Cheers. -- Gaetan
participants (2)
-
Christian Hesse
-
Gaetan Bisson