[arch-dev-public] News item for openssh-7.0p1-1

Gaetan Bisson bisson at archlinux.org
Thu Aug 13 03:34:07 UTC 2015 

[2015-08-12 20:24:07 +0200] Jens Adam:
> Thu, 13 Aug 2015 00:03:59 +0900
> Gaetan Bisson <bisson at archlinux.org>:
> 
> > Hi,
> > 
> > I'd like to suggest the following piece of news to be posted when
> > openssh-7.0p1-1 lands in [core]:
> > 
> > 
> > The new openssh-7.0p1 release deprecates certain types of SSH keys
> > that are now considered vulnerable. For details, see the
> > [upstream
> > announcement](http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html).
> > 
> > Before updating and restarting sshd on remote hosts, if you rely on
> > SSH keys for authentication, please make sure that you have a recent
> > key pair set up, or alternative means of logging in (such as using
> > password authentication).
> 
> Perhaps you could clarify that this only affects people using ssh-dss
> keys for authentication and how to check for them, e.g. "use 'grep
> ssh-dss ~/.ssh/{known_hosts,authorized_keys*,*.pub}' to find legacy
> keys".

Oh, sure. Here's a new proposal:


The new `openssh-7.0p1` release deprecates keys of `ssh-dss` type (also
known as DSA) in light of recently discovered vulnerabilities. For
details, see the
[upstream announcement](http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html).

Before updating and restarting sshd on remote hosts, make sure you do
not rely solely on DSA keys for connecting to it. You may enumerate DSA
keys that allow connecting to a remote account with:

	grep ssh-dss ~/.ssh/authorized_keys

If you have any, ensure you have alternative means of logging in (such
a key pair of a different type, or password authentication).

Note that host keys of `ssh-dss` type are also deprecated; if you were
relying on them to connect to a server, after updating it, you will have
to confirm the fingerprint of a key of another type to reconnect.


-- 
Gaetan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20150813/77344649/attachment.asc>

More information about the arch-dev-public mailing list