From nobody Sat May 10 19:46:18 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZvxFX5PTdz5vl7W
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Sat, 10 May 2025 19:46:24 +0000 (UTC)
	(envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from mx-01.divo.sbone.de (mx-01.divo.sbone.de [IPv6:2003:a:140a:2200:6:594:fffe:19])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature ECDSA (prime256v1) client-digest SHA256)
	(Client CN "mx-01.divo.sbone.de", Issuer "E5" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZvxFX0YWgz3nhV;
	Sat, 10 May 2025 19:46:24 +0000 (UTC)
	(envelope-from bzeeb-lists@lists.zabbadoz.net)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=zabbadoz.net header.s=20240622 header.b=TceaD3kU;
	spf=pass (mx1.freebsd.org: domain of bzeeb-lists@lists.zabbadoz.net designates 2003:a:140a:2200:6:594:fffe:19 as permitted sender) smtp.mailfrom=bzeeb-lists@lists.zabbadoz.net;
	dmarc=pass (policy=none) header.from=zabbadoz.net
Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	by mx-01.divo.sbone.de (Postfix) with ESMTPS id A7AFCA64805;
	Sat, 10 May 2025 19:46:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zabbadoz.net;
	s=20240622; t=1746906380;
	bh=PKoesdmub72bJXnckr0GFgK7N60b3d+W5uK0Dga9uiU=;
	h=Date:From:To:cc:Subject:In-Reply-To:References;
	b=TceaD3kUzD96yBMs4S/QscT36C0D9qoUlPdOUUAjHl3d+QcBWKGU+oyttPqHJw6Ro
	 dafSfbgyPjPvYnuZi8EqaGMqiteVWiDSuwkvA6J8173y9+16azI6e3KlzG+y0B9FXJ
	 I5oGR/N3lcUM1HQOwfIK14TEjh1v4tn70Q6k4MECZGOF3BcBRWaKkaLd9hDB9ymRsN
	 jobAvXK7tUlvg5IWbk2kE08CC+kMUSoMkB7O2813G0WjXskIljnHpNkc9BA+AWwFWT
	 veRSg6VKR9+e6p2tEOtH5qGqtcvBi2aA0R4XPe3TT8bIoDvGm6fzyJhHzUgtfGeeyf
	 xPneQCRAsEdImbK/MGwuldJt8b5AE4iTp9+wN00RLuWM6voqRXIHZIfVsA6f496vhE
	 JexDiumLca0Dvrlaayzs4LdYZHaAxgb5LJOGnPpqqYJhJkx7DoM/QVnV4nXhRqtfU1
	 UnhoXwwAPb1gFgz7eUuxm48CYY+luPeIaAIpZ6vWeGnOtswj2W7QZ+bi5q5a8LsXV2
	 /DC41joc4zID3rqm4tmkU7hdUAEZuWITGDRw50ondUbF3n8q5eLUYMLofV42/vnnLt
	 2E/AotgGYkVZHU0bbo1e0K5Pg4ey3MgyifNLPx77OjR7u4ZT8fXpWIvEEpOyul9a0v
	 bXCtspk++nGDLaqMTKcfZ/cQ=
Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPS id 5D0DE2D029E0;
	Sat, 10 May 2025 19:46:22 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sbone.de
Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025])
	by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024)
	with ESMTP id FDegGVWj9fq7; Sat, 10 May 2025 19:46:21 +0000 (UTC)
Received: from strong-rtwn0.sbone.de (strong-rtwn0.sbone.de [IPv6:fde9:577b:c1a9:4902:3e64:cfff:fe55:bc80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPSA id 4CC4B2D029D8;
	Sat, 10 May 2025 19:46:21 +0000 (UTC)
Date: Sat, 10 May 2025 19:46:18 +0000 (UTC)
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: Ed Maste <emaste@freebsd.org>
cc: freebsd-security@freebsd.org
Subject: Re: Heads-up: DSA key support being removed from OpenSSH
In-Reply-To: <CAPyFy2AezDiYDU+iAkvCUz9T-rrhCxYKxgpG2d8ADXw9AL3D8w@mail.gmail.com>
Message-ID: <263908r7-69n4-48n0-22oo-pr1sn1p87779@yvfgf.mnoonqbm.arg>
References: <CAPyFy2Dk0VoqLPSHxTLzBCWT_ouqU_kj4QNhN17VybMinbr6bA@mail.gmail.com> <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> <CAPyFy2DAk8wx34gEJs7L94NykyMDBzAjLo9TwQOa_SPVvEFQ3A@mail.gmail.com> <p992nn1n-p9n2-s64o-9666-o5on62nnor7s@yvfgf.mnoonqbm.arg>
 <1a1ceefc-ed0b-4602-b250-2a407dd7dbd1@mtasv.net> <CAPyFy2AezDiYDU+iAkvCUz9T-rrhCxYKxgpG2d8ADXw9AL3D8w@mail.gmail.com>
X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-Rspamd-Queue-Id: 4ZvxFX0YWgz3nhV
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.88 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-0.99)[-0.991];
	NEURAL_HAM_SHORT(-0.89)[-0.891];
	DMARC_POLICY_ALLOW(-0.50)[zabbadoz.net,none];
	R_DKIM_ALLOW(-0.20)[zabbadoz.net:s=20240622];
	R_SPF_ALLOW(-0.20)[+ip6:2003:a:140a:2200:6:594:fffe:19:c];
	MIME_GOOD(-0.10)[text/plain];
	TO_DN_SOME(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	MISSING_XM_UA(0.00)[];
	ASN(0.00)[asn:3320, ipnet:2003::/19, country:DE];
	RCPT_COUNT_TWO(0.00)[2];
	RCVD_COUNT_THREE(0.00)[4];
	FROM_HAS_DN(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DKIM_TRACE(0.00)[zabbadoz.net:+]

On Tue, 15 Apr 2025, Ed Maste wrote:

Hi,

just replying to the last email in the thread.

> On Thu, 10 Apr 2025 at 19:21, Dr Jim Allen
> <mail.lists@phinetworksystems.co.uk> wrote:
>>
>>
>> Two things.
>>
>> a) Why remove the build config option?
>> I know the code is being removed at some point, but until it is, why not
>> leave it as a option (defaulted off)?
>
> There's no user-facing interface to run upstream's configure script as
> part of the FreeBSD build system, so enabling DSA in the FreeBSD base
> system already required having a patched tree. Committing this removal
> now has no user-facing impact, but means that we can separately decide
> what to merge to stable branches: in particular, it is possible for us
> to merge 10.0p2 to stable branches with DSA support still present.

You have to love OpenBSD folks.  They don't even make it graceful:

(made a sample config after hitting it for demonstration purposes)

~/.ssh/config line 6: Bad key types '+ssh-rsa,ssh-dss'.
~/.ssh/config: terminating, 1 bad configuration options

You need to edit all your config down and remove the now invalid key
type or you cannot ssh out to anything anymore. Could have ignored that
Host entry and be done...  Ed, I think it warrents an UPDATING entry...

That also means dedicated config files for main vs. stable machines for
the grace period we have to still be able to use an older version...
or concatenate two files depending on freebsd-version -u or other magic
as ssh -F they only accept the last given opntion as well and not
multiple.  *sigh*

I assume alias ssh-dss ssh -F ~/.ssh/config.dss or similar will do the
jobs for now.

/bz

-- 
Bjoern A. Zeeb                                                     r15:7

From nobody Sun May 11 11:20:05 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZwKz23MYmz5vjtZ
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Sun, 11 May 2025 11:20:14 +0000 (UTC)
	(envelope-from void@f-m.fm)
Received: from fout-a2-smtp.messagingengine.com (fout-a2-smtp.messagingengine.com [103.168.172.145])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZwKz10vDnz3mGZ
	for <freebsd-security@freebsd.org>; Sun, 11 May 2025 11:20:13 +0000 (UTC)
	(envelope-from void@f-m.fm)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=f-m.fm header.s=fm3 header.b="jdHbkH/7";
	dkim=pass header.d=messagingengine.com header.s=fm3 header.b=fJeIVUk9;
	spf=pass (mx1.freebsd.org: domain of void@f-m.fm designates 103.168.172.145 as permitted sender) smtp.mailfrom=void@f-m.fm;
	dmarc=pass (policy=none) header.from=f-m.fm
Received: from phl-compute-05.internal (phl-compute-05.phl.internal [10.202.2.45])
	by mailfout.phl.internal (Postfix) with ESMTP id A76AD13801BE
	for <freebsd-security@freebsd.org>; Sun, 11 May 2025 07:20:12 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-05.internal (MEProxy); Sun, 11 May 2025 07:20:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f-m.fm; h=cc
	:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to; s=fm3; t=1746962412; x=1747048812; bh=9WfTwSFQFY
	87N+NqO13LuCW3WPHwJqOP86N3sQcezUo=; b=jdHbkH/7L9zCqxQtsBCCfexxjs
	fgAdR5XtlzQ5rwrrma7NZteCVzL+qVXhB1kw0X6Mm30GNUas9Kc6yT13OMgkxHbQ
	woWhBhS3j/5YdVolzY9LLNeIUUXMOO8lIM576bwOYpo/I0T5thaLUjxrQwQwUkbw
	WEejMnerDruj4iB8EAIMudB4iADLTY+fPbp0jfU17w4AG6MAWcvHrS082YPI+KAW
	SDbwMntQxgV7XgVAiqtOiFapqUScM7Nl67WSKcl/NpfSogKVQvpQqyoV2hH9A/nh
	CrFUllM/AIJYf8ZzrtBjRKm2LQUniKIZija12Ee8DgnuAxliHU+OP448MnaA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=
	1746962412; x=1747048812; bh=9WfTwSFQFY87N+NqO13LuCW3WPHwJqOP86N
	3sQcezUo=; b=fJeIVUk9s33Nj+8xF28Oh9kjYrXlcpboYzQ9FcuX+Bl0vqOEvhi
	TbtgD+pc9Rw5Wg5793CKm5fVH0HgeaqxkQ0A/S/GaHTUAsa9PqZa+ouuuqLhxFcU
	STJa9OVzMj8XkLY32Vo8dxRmCN71P9M1WKrMtGKpilm/UXeE6c5LmRyg+qr2gx8n
	mGQGcXZ7cfNUI6NltyjoQyOjeUQkjPlQRKqZsgjKbAoDmGozreqsEgfFiWq3htux
	cYDbBg0XXCZ3ulA8fiLNDY2NGhxTLo/VttE5oJUQbfX0GPFzxnj/K9P1QehoxO/V
	m2PtMC18kDk/GmcO+8VpFHWVFdSkeSliwqQ==
X-ME-Sender: <xms:7IcgaJuLi17mswHAoT5FlhQV0dsUa4-JKu_m53Cf6PugOKaVkNlIvA>
    <xme:7IcgaCfPsQVklpMNkUP7MbW3QYivXbToSWlkexiD4ifvTrgutxZQz69w25eI2daRa
    rLiIz8YiCoYIYWiPA>
X-ME-Received: <xmr:7IcgaMyVJu6tIgjYRZbJlBs78RZ_rxl6TwFU1qa1WwKVLjyQ3Mif-XoRGGUSwJP7LyDTv0w9>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvleekvdegucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
    pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhf
    fvuffkfhggtggujgesthdtredttddtvdenucfhrhhomhepvhhoihguuceovhhoihgusehf
    qdhmrdhfmheqnecuggftrfgrthhtvghrnhepkeeluddvlefhieelfefggffhffektdehle
    elgfdugfdvgeekjeejuddtheehgfeunecuvehluhhsthgvrhfuihiivgeptdenucfrrghr
    rghmpehmrghilhhfrhhomhepvhhoihgusehfqdhmrdhfmhdpnhgspghrtghpthhtohepud
    dpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepfhhrvggvsghsugdqshgvtghurhhi
    thihsehfrhgvvggsshgurdhorhhg
X-ME-Proxy: <xmx:7IcgaAN89lW6l4GSUh1AntRbgTzuhuV2GjHL3Kw5GBDNKXNxFWxVGw>
    <xmx:7IcgaJ9DZTZxUPX5XLyWCwsPuiMeezd5iVnYuJgXnOP6RNskpxMLog>
    <xmx:7IcgaAVBWd1Gw3PAeIuNZzNHgv7Cs62XObpRfAXuT8eGXkxD2pCuAQ>
    <xmx:7IcgaKe-pChr8CN5CtqmEizE1WZNNW7uoBqAzNh8e-GYo2Vsha7ywg>
    <xmx:7IcgaHdLdeFTWOv6NrQNX7REGtsAZvyEHh4TEO5u7CuZkzhpgGh4izMG>
Feedback-ID: i2541463c:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <freebsd-security@freebsd.org>; Sun, 11 May 2025 07:20:12 -0400 (EDT)
Date: Sun, 11 May 2025 12:20:05 +0100
From: void <void@f-m.fm>
To: freebsd-security@freebsd.org
Subject: Re: Heads-up: DSA key support being removed from OpenSSH
Message-ID: <aCCH5VSOgkX1dpOT@int21h>
Mail-Followup-To: freebsd-security@freebsd.org
References: <CAPyFy2Dk0VoqLPSHxTLzBCWT_ouqU_kj4QNhN17VybMinbr6bA@mail.gmail.com>
 <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de>
 <CAPyFy2DAk8wx34gEJs7L94NykyMDBzAjLo9TwQOa_SPVvEFQ3A@mail.gmail.com>
 <p992nn1n-p9n2-s64o-9666-o5on62nnor7s@yvfgf.mnoonqbm.arg>
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <p992nn1n-p9n2-s64o-9666-o5on62nnor7s@yvfgf.mnoonqbm.arg>
X-Rspamd-Queue-Id: 4ZwKz10vDnz3mGZ
X-Spamd-Bar: /
X-Spamd-Result: default: False [0.80 / 15.00];
	NEURAL_SPAM_LONG(1.00)[0.998];
	NEURAL_SPAM_MEDIUM(1.00)[0.997];
	MID_RHS_NOT_FQDN(0.50)[];
	DMARC_POLICY_ALLOW(-0.50)[f-m.fm,none];
	RWL_MAILSPIKE_EXCELLENT(-0.40)[103.168.172.145:from];
	R_DKIM_ALLOW(-0.20)[f-m.fm:s=fm3,messagingengine.com:s=fm3];
	R_SPF_ALLOW(-0.20)[+ip4:103.168.172.128/27];
	NEURAL_HAM_SHORT(-0.19)[-0.192];
	RCVD_IN_DNSWL_LOW(-0.10)[103.168.172.145:from];
	MIME_GOOD(-0.10)[text/plain];
	ARC_NA(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	FREEMAIL_ENVFROM(0.00)[f-m.fm];
	MIME_TRACE(0.00)[0:+];
	RCPT_COUNT_ONE(0.00)[1];
	FROM_HAS_DN(0.00)[];
	FREEMAIL_FROM(0.00)[f-m.fm];
	RCVD_TLS_LAST(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	ASN(0.00)[asn:209242, ipnet:103.168.172.0/24, country:US];
	DWL_DNSWL_NONE(0.00)[messagingengine.com:dkim];
	MISSING_XM_UA(0.00)[];
	TO_DN_NONE(0.00)[];
	DKIM_TRACE(0.00)[f-m.fm:+,messagingengine.com:+]

On Thu, Apr 10, 2025 at 10:24:49PM +0000, Bjoern A. Zeeb wrote:
>
>Is there any chance to keep an openssh (client) port (possibly with known
>security risks)?

+1 to this. Just the client. Maybe call it openssh-vuln? 

I can appreciate it being removed in base, in server. But there's
lots of otherwise-working gear around that only uses
ssh-dss or ssh-rsa. We only need the client.

-- 

From nobody Sun May 11 16:10:35 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZwSWR1r0Rz5w537
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Sun, 11 May 2025 16:15:15 +0000 (UTC)
	(envelope-from naddy@mips.inka.de)
Received: from mail.inka.de (mail.inka.de [IPv6:2a04:c9c7:0:1073:217:a4ff:fe3b:e77c])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZwSWP403Rz3dWW
	for <freebsd-security@freebsd.org>; Sun, 11 May 2025 16:15:13 +0000 (UTC)
	(envelope-from naddy@mips.inka.de)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of naddy@mips.inka.de designates 2a04:c9c7:0:1073:217:a4ff:fe3b:e77c as permitted sender) smtp.mailfrom=naddy@mips.inka.de;
	dmarc=none
Received: from mips.inka.de (naddy@[127.0.0.1])
	by mail.inka.de with uucp (rmailwrap 0.5) 
	id 1uE9KS-0091jG-IO;
	Sun, 11 May 2025 18:15:04 +0200
Received: from lorvorc.mips.inka.de (localhost [127.0.0.1])
	by lorvorc.mips.inka.de (8.18.1/8.18.1) with ESMTP id 54BGAZKe043764
	for <freebsd-security@freebsd.org>; Sun, 11 May 2025 18:10:35 +0200 (CEST)
	(envelope-from naddy@lorvorc.mips.inka.de)
Received: (from naddy@localhost)
	by lorvorc.mips.inka.de (8.18.1/8.18.1/Submit) id 54BGAZSI043763
	for freebsd-security@freebsd.org; Sun, 11 May 2025 18:10:35 +0200 (CEST)
	(envelope-from naddy)
Date: Sun, 11 May 2025 18:10:35 +0200
From: Christian Weisgerber <naddy@mips.inka.de>
To: freebsd-security@freebsd.org
Subject: Re: Heads-up: DSA key support being removed from OpenSSH
Message-ID: <aCDL-2e0qe995uG3@lorvorc.mips.inka.de>
References: <CAPyFy2Dk0VoqLPSHxTLzBCWT_ouqU_kj4QNhN17VybMinbr6bA@mail.gmail.com>
 <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de>
 <CAPyFy2DAk8wx34gEJs7L94NykyMDBzAjLo9TwQOa_SPVvEFQ3A@mail.gmail.com>
 <p992nn1n-p9n2-s64o-9666-o5on62nnor7s@yvfgf.mnoonqbm.arg>
 <aCCH5VSOgkX1dpOT@int21h>
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <aCCH5VSOgkX1dpOT@int21h>
X-Rspamd-Queue-Id: 4ZwSWP403Rz3dWW
X-Spamd-Bar: ++
X-Spamd-Result: default: False [2.15 / 15.00];
	NEURAL_SPAM_LONG(1.00)[1.000];
	NEURAL_SPAM_SHORT(0.84)[0.838];
	NEURAL_SPAM_MEDIUM(0.61)[0.609];
	R_SPF_ALLOW(-0.20)[+mx];
	MIME_GOOD(-0.10)[text/plain];
	ARC_NA(0.00)[];
	ASN(0.00)[asn:202113, ipnet:2a04:c9c7::/32, country:DE];
	FREEFALL_USER(0.00)[naddy];
	MIME_TRACE(0.00)[0:+];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	MISSING_XM_UA(0.00)[];
	R_DKIM_NA(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	RCPT_COUNT_ONE(0.00)[1];
	TO_DN_NONE(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	DMARC_NA(0.00)[inka.de];
	FROM_HAS_DN(0.00)[]

void:

> +1 to this. Just the client. Maybe call it openssh-vuln?
> 
> I can appreciate it being removed in base, in server. But there's
> lots of otherwise-working gear around that only uses
> ssh-dss or ssh-rsa. We only need the client.

ssh-rsa, i.e. RSA keys with a signature algorithm that uses SHA-1,
is still supported in the latest OpenSSH, even if disabled by
default.

-- 
Christian "naddy" Weisgerber                          naddy@mips.inka.de