From nobody Mon Feb 10 16:57:34 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Ys9k36Lx9z5mQVq; Mon, 10 Feb 2025 16:57:47 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f48.google.com (mail-io1-f48.google.com [209.85.166.48]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ys9k30Wflz43b0; Mon, 10 Feb 2025 16:57:47 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.48 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none) Received: by mail-io1-f48.google.com with SMTP id ca18e2360f4ac-84a012f7232so165821539f.0; Mon, 10 Feb 2025 08:57:47 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739206665; x=1739811465; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=dKxrwwKDFRykW0QIwtCd133w2dK72H9uVcuEJ+XPJDA=; b=mx8PK1Rz/p4b7SvHoWbcILYChyJKHWzQ8tzt3zI1YacFtbnYFrkQ/nNq6EbGTylKk0 Y7jy7u9d414yUB3EYumvWsRO0xtYovfAo9a58beQaT0/j9ojItJrfQj6FL8KQ/JNwTyp QCF3GCpsbSMnXtJ2zGzHNAUBWVr69LwXkK0OzJQm8BVnI75fJl4Lo6xikBt24C+a7SuM 8oMVu8SEWZgVozXf68FwdXFRPycdGIpmSfe97f5SkF4Vj6LsFMubtUQqRW+fm5v0pVsG /dht2FoCagFwDzWYanyhHRXL585md1Y34FyZRF5DNFjWF5+hN9YeTVAGuKs8pcth1fj3 WGIQ== X-Forwarded-Encrypted: i=1; AJvYcCU2uE826q31Rfd0KsDTLdO5aLWMZ5YnjlrmKgWi19S5HVOFeT7DmGNKpqngeE4TwRUmpGI79hjXwqfdgmZHWYaX@freebsd.org X-Gm-Message-State: AOJu0YyFRach2eRWnzfK4bSM963JxLMDigK5VIXdKFZeFoYX89m/BBw+ VtmEbx6r0nfWWMFXik7BR7Rf4K4H4x+vDcpOqDt4imwATxx9xid0RoMsVUT8f84D5nnH0DMecNj /U+zM2KsTwpssiOd+vWnmyoQnRp860gkD X-Gm-Gg: ASbGnct8IlJW2Mcwz0LXsZMtKGCDCH8B74N8l6820pK7351BYXoj7FDmp2r2vJs70Iv /KwdO7SB+pwlBaOBKtgjXOB5U7jpnQ/ua2uzZDFXdd+z8h+Op6tZr+2ainzlA8pcG7JWBwsed+8 +WHxiUSWNhhsGOELjw44G1kEVqpIW6dJM= X-Google-Smtp-Source: AGHT+IEjVbBqbJso9jtOyHks/kRlrVnLCm8uDPZgLxFgrFVZHCU4L+imCNechd7TBIbmN1w4inLhCosOaT3knN2UVfo= X-Received: by 2002:a92:ca4a:0:b0:3d1:5840:1333 with SMTP id e9e14a558f8ab-3d16f3e989bmr67595ab.1.1739206665250; Mon, 10 Feb 2025 08:57:45 -0800 (PST) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 From: Ed Maste Date: Mon, 10 Feb 2025 11:57:34 -0500 X-Gm-Features: AWEUYZklAuwb7z4ZVLfrW8R3ct6OS4aOE0CKkb-lrJd2S2gTWPBvfRkav5_jKkU Message-ID: Subject: Heads-up: DSA key support being removed from OpenSSH To: FreeBSD Current , freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-0.29 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.997]; RBL_SENDERSCORE_REPUT_7(0.50)[209.85.166.48:from]; NEURAL_HAM_SHORT(-0.49)[-0.490]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; NEURAL_SPAM_LONG(0.30)[0.296]; BAD_REP_POLICIES(0.10)[]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none]; MIME_GOOD(-0.10)[text/plain]; TO_DN_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; MISSING_XM_UA(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-security@freebsd.org]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.48:from]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; R_SPF_ALLOW(0.00)[+ip4:209.85.128.0/17:c]; RCVD_COUNT_ONE(0.00)[1]; FREEFALL_USER(0.00)[carpeddiem]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.48:from] X-Spamd-Bar: / X-Rspamd-Queue-Id: 4Ys9k30Wflz43b0 Upstream OpenSSH has been working on deprecating DSA keys for some time, and I intend to follow suit in FreeBSD. >From the OpenSSH 9.8p1 release notes: === OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to- implement algorithm in the SSHv2 RFCs, mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified. This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries. This release, and its deactivation of DSA by default at compile-time, marks the second step in our timeline to finally deprecate DSA. The final step of removing DSA support entirely is planned for the first OpenSSH release of 2025. === As part of the update to OpenSSH 9.8p1 I intend to disable DSA key support at compile time. I intend to make this change in main only, leaving DSA key support enabled in stable/14 and stable/13. The change is a trivial update in config.h -- https://reviews.freebsd.org/D48910