Date: Wed, 19 Mar 2025 22:20:40 +0100 From: Jan Bramkamp <crest@rlwinm.de> To: freebsd-security@freebsd.org Subject: Re: Heads-up: DSA key support being removed from OpenSSH Message-ID: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> In-Reply-To: <CAPyFy2Dk0VoqLPSHxTLzBCWT_ouqU_kj4QNhN17VybMinbr6bA@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
On 10.02.25 17:57, Ed Maste wrote: > Upstream OpenSSH has been working on deprecating DSA keys for some > time, and I intend to follow suit in FreeBSD. > > From the OpenSSH 9.8p1 release notes: > > === > OpenSSH has disabled DSA keys by default since 2015 but has retained > run-time optional support for them. DSA was the only mandatory-to- > implement algorithm in the SSHv2 RFCs, mostly because alternative > algorithms were encumbered by patents when the SSHv2 protocol was > specified. > > This has not been the case for decades at this point and better > algorithms are well supported by all actively-maintained SSH > implementations. We do not consider the costs of maintaining DSA > in OpenSSH to be justified and hope that removing it from OpenSSH > can accelerate its wider deprecation in supporting cryptography > libraries. > > This release, and its deactivation of DSA by default at compile-time, > marks the second step in our timeline to finally deprecate DSA. The > final step of removing DSA support entirely is planned for the first > OpenSSH release of 2025. > === > > As part of the update to OpenSSH 9.8p1 I intend to disable DSA key > support at compile time. I intend to make this change in main only, > leaving DSA key support enabled in stable/14 and stable/13. > > The change is a trivial update in config.h -- https://reviews.freebsd.org/D48910 As long as it's "only" a compile-time option away for FreeBSD to enable this flawed cipher I would like to have it compiled in by default so it doesn't require installing SSH from ports to connect to some stupid old router/switch/UPS/whatever over SSH. As long as it won't negotiate that cipher with the default configuration that's safe enough for my needs. TL;DR: Please keep it enabled it at compile-time, but configured disabled. FreeBSD shouldn't require recompiling the base system to connect to older embedded devices.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?76933d66-eff5-4d43-a7a6-98a153e71d77>