[arch-dev-public] News item for openssh-7.0p1-1

Gaetan Bisson bisson at archlinux.org
Thu Aug 13 03:20:35 UTC 2015

[2015-08-12 23:15:34 +0200] Christian Hesse:
> Gaetan Bisson <bisson at archlinux.org> on Thu, 2015/08/13 00:03:
> > Hi,
> > 
> > I'd like to suggest the following piece of news to be posted when
> > openssh-7.0p1-1 lands in [core]:
> > 
> > 
> > The new openssh-7.0p1 release deprecates certain types of SSH keys that
> > are now considered vulnerable. For details, see the
> > [upstream
> > announcement](http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html).
> > 
> > Before updating and restarting sshd on remote hosts, if you rely on SSH
> > keys for authentication, please make sure that you have a recent key
> > pair set up, or alternative means of logging in (such as using password
> > authentication).
> This does not only apply for public key authentication but for host keys as
> well. Do we want to add a note about that?

If updating your openssh client breaks connectivity to an old SSH
server, that's fine, you can just roll back the openssh client, fix
things, and update later.

The only issue is updating servers. But host keys are not a problem
because sshdgenkeys.service generates all key types. If a user
deliberately chose to only trust a DSS key (by default, it would have
been RSA keys) then they just have to "blindly" trust a key of another
type to connect to the updated server. That does not sound like a big
issue to me.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20150813/f9f9ed38/attachment.asc>

More information about the arch-dev-public mailing list