From owner-freebsd-current@freebsd.org Mon Aug 8 21:57:08 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EC1E5BB354C; Mon, 8 Aug 2016 21:57:08 +0000 (UTC) (envelope-from devin@shxd.cx) Received: from shxd.cx (mail.shxd.cx [64.201.244.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DA02D1D01; Mon, 8 Aug 2016 21:57:08 +0000 (UTC) (envelope-from devin@shxd.cx) Received: from 50-196-156-133-static.hfc.comcastbusiness.net ([50.196.156.133]:49779 helo=[10.19.158.225]) by shxd.cx with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bWra3-000LCL-53; Mon, 08 Aug 2016 20:55:27 +0000 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0 From: Devin Teske In-Reply-To: <33cacfb7366727a725c477959a23e1a8@imap.brnrd.eu> Date: Mon, 8 Aug 2016 14:57:05 -0700 Cc: Glen Barber , FreeBSD Current , freebsd-stable@freebsd.org, owner-freebsd-stable@freebsd.org, Devin Teske Message-Id: <22DB6A66-B8E8-4C13-B3F8-A3B53213E220@freebsd.org> References: <20160805015918.GI43509@FreeBSD.org> <86CE9314-487D-4D63-8CE1-34F167765EC5@freebsd.org> <33cacfb7366727a725c477959a23e1a8@imap.brnrd.eu> To: Bernard Spil X-Mailer: Apple Mail (2.2104) Sender: devin@shxd.cx Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 21:57:09 -0000 > On Aug 8, 2016, at 12:39 PM, Bernard Spil = wrote: >=20 > Hi Devin, >=20 > This resource documents the choices pretty well I think > https://stribika.github.io/2015/01/04/secure-secure-shell.html = > Author has made some modifications up to Jan 2016 > = https://github.com/stribika/stribika.github.io/commits/master/_posts/2015-= 01-04-secure-secure-shell.md = >=20 > The short answer then is ed25519 or rsa4096, disable both dsa and = ecdsa. >=20 > Even 6.5p1 shipped with 9.3 supports ed25519. >=20 > Cheers, >=20 > Bernard. >=20 Thanks for confirming, Bernard! --=20 Cheers, Devin > On 2016-08-08 19:56, Devin Teske wrote: >> Which would you use? >> ECDSA? >> https://en.wikipedia.org/wiki/Elliptic_curve_cryptography = >> > >> "" In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover >> operation", cryptography experts have also expressed concern over the >> security of the NIST recommended elliptic curves,[31] >> = > >> suggesting a return to encryption based on non-elliptic-curve groups. >> "" >> Or perhaps RSA? (as des@ recommends) >> (not necessarily to Glen but anyone that wants to answer) >> -- >> Devin >>> On Aug 4, 2016, at 6:59 PM, Glen Barber wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> This is a heads-up that OpenSSH keys are deprecated upstream by = OpenSSH, >>> and will be deprecated effective 11.0-RELEASE (and preceeding RCs). >>> Please see r303716 for details on the relevant commit, but upstream = no >>> longer considers them secure. Please replace DSA keys with ECDSA or = RSA >>> keys as soon as possible, otherwise there will be issues when = upgrading >>> from 11.0-BETA4 to the subsequent 11.0 build, but most definitely = the >>> 11.0-RELEASE build. >>> Glen >>> On behalf of: re@ and secteam@ >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v2 >>> iQIcBAEBCAAGBQJXo/L2AAoJEAMUWKVHj+KTG3sP/3j5PBVMBlYVVR+M4PUoRJjb >>> kShIRFHzHUV9YzTIljtqOVf/f/mw3kRHA4fUonID5AJlo23ht9cwGOvGUi5H3lBK >>> rnL9vsU9lvZoGyaHLpR/nikMOaRTa8bl1cdpULlEGH94HEzDuLT92AtAZ5HtdDEl >>> GcXRfTe3eGOaxcqNSF8NKSMQQ8rzbKmsgsa5Cbf0PYToemn3xyPAr+9Nz8tbSrlR >>> TrrFhzOR6+Ix0NcYJAKs6RUZ2kgbAheYF6nQmAHlJzyBihlfdfieJdysqNwSOQ8u >>> c7CyBLNFrGKqYTDVQI36MUwoyVtEqbOjt3cPitsMsD3fVAf05H7dHp/0iqrUghUs >>> 60HYOjfmvZxH5wvhEPdv/wPLAZeosdQgW8np3Y5cztw7cxZXF+PxoMjRcnXVpQ2c >>> QIZg3RsiQmJtAT4Z2OuvYikqGzrpsVido0um/KMM9b82XilJExxPPzgEpXCK3CE8 >>> 7TchzrRA/W27eST4VXoNYrrMlmpavur1IxvMS54fBOu98efTIoER6uJc1t7qcL6r >>> mEVmBoMqecg+auuWqz50Bh8K329dlYuGLMbk/Ktc3agXtpkw88ylDmC6l5N7qrnL >>> kSb4i3DboU7R1cltiin3c/P+ahwfKQdNH18QbN3utJuzSSRVvXq4laUGFlRhWEEx >>> bLbbH2fh5bxDmDXDMdCF >>> =3DLLtP >>> -----END PGP SIGNATURE----- >>> _______________________________________________ >>> freebsd-announce@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-announce >>> To unsubscribe, send any mail to = "freebsd-announce-unsubscribe@freebsd.org" >> _______________________________________________ >> freebsd-stable@freebsd.org = mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-stable = >> To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org = "