From owner-freebsd-stable@freebsd.org Mon Aug 8 19:48:54 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D5B23BB2663; Mon, 8 Aug 2016 19:48:54 +0000 (UTC) (envelope-from bernard@bachfreund.nl) Received: from smtp02.qsp.nl (smtp02.qsp.nl [193.254.214.163]) by mx1.freebsd.org (Postfix) with ESMTP id 7F0021AB5; Mon, 8 Aug 2016 19:48:53 +0000 (UTC) (envelope-from bernard@bachfreund.nl) Received: from smtp02.qsp.nl (localhost [127.0.0.1]) by smtp02.qsp.nl (Postfix) with ESMTP id 91F56FD034; Mon, 8 Aug 2016 21:39:49 +0200 (CEST) Received: from mail.brnrd.eu (unknown [193.164.217.85]) by smtp02.qsp.nl (Postfix) with ESMTP; Mon, 8 Aug 2016 21:39:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=brnrd.eu; h=date:from:to:subject:message-id; s=default; bh=aaFY9D09n7L8ajP6KSpy3WLrzjW3VI4YP478qJmNsjY=; b=z/RHds0AoY6HAuDGFy11+9nTCpEQfrLyQi1OczCivktd+TubX8PEwz0GVnzwJrzF2peW8pGfjVUk88ZYxc0EvxOpQe5Z7kXLjFCsyYrelB0HmTzgXOBSl/hAZ+AcMvkZay0Pre4qKl4meHxFPKQszA3rRdM/fQi8ULKWUNqzd657s5fCPfumNJQ4v+0yzNBE59QWJ4OtVRzr7PC4A+UL7DKBOhKKa4+UAqaUDMW9BRXDYtG7mK7dIo8l6PwRsNq9wxh2oB+QvMQ3OEv6FxaIa9uLZVXtj51AAaTo5kB1Nes9DBs0rhMKDLu2AyifDXeZHai++e5gbeOhRpTsuFYgAg== Received: by bachfreund.nl (OpenSMTPD) with ESMTPSA id 498a1894 TLS version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO; Mon, 8 Aug 2016 21:39:48 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 08 Aug 2016 21:39:48 +0200 From: Bernard Spil To: Devin Teske Cc: Glen Barber , FreeBSD Current , freebsd-stable@freebsd.org, owner-freebsd-stable@freebsd.org Subject: Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0 In-Reply-To: <86CE9314-487D-4D63-8CE1-34F167765EC5@freebsd.org> References: <20160805015918.GI43509@FreeBSD.org> <86CE9314-487D-4D63-8CE1-34F167765EC5@freebsd.org> Message-ID: <33cacfb7366727a725c477959a23e1a8@imap.brnrd.eu> X-Sender: bernard@bachfreund.nl User-Agent: Roundcube Webmail/1.2.0 X-Virus-Scanned: clamav at smtp02 X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_SIGNED,T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on svfilter04.qsp.nl X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 19:48:54 -0000 Hi Devin, This resource documents the choices pretty well I think https://stribika.github.io/2015/01/04/secure-secure-shell.html Author has made some modifications up to Jan 2016 https://github.com/stribika/stribika.github.io/commits/master/_posts/2015-01-04-secure-secure-shell.md The short answer then is ed25519 or rsa4096, disable both dsa and ecdsa. Even 6.5p1 shipped with 9.3 supports ed25519. Cheers, Bernard. On 2016-08-08 19:56, Devin Teske wrote: > Which would you use? > > ECDSA? > > https://en.wikipedia.org/wiki/Elliptic_curve_cryptography > > > "" In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover > operation", cryptography experts have also expressed concern over the > security of the NIST recommended elliptic curves,[31] > > suggesting a return to encryption based on non-elliptic-curve groups. > "" > > Or perhaps RSA? (as des@ recommends) > > (not necessarily to Glen but anyone that wants to answer) > -- > Devin > > >> On Aug 4, 2016, at 6:59 PM, Glen Barber wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> This is a heads-up that OpenSSH keys are deprecated upstream by >> OpenSSH, >> and will be deprecated effective 11.0-RELEASE (and preceeding RCs). >> >> Please see r303716 for details on the relevant commit, but upstream no >> longer considers them secure. Please replace DSA keys with ECDSA or >> RSA >> keys as soon as possible, otherwise there will be issues when >> upgrading >> from 11.0-BETA4 to the subsequent 11.0 build, but most definitely the >> 11.0-RELEASE build. >> >> Glen >> On behalf of: re@ and secteam@ >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2 >> >> iQIcBAEBCAAGBQJXo/L2AAoJEAMUWKVHj+KTG3sP/3j5PBVMBlYVVR+M4PUoRJjb >> kShIRFHzHUV9YzTIljtqOVf/f/mw3kRHA4fUonID5AJlo23ht9cwGOvGUi5H3lBK >> rnL9vsU9lvZoGyaHLpR/nikMOaRTa8bl1cdpULlEGH94HEzDuLT92AtAZ5HtdDEl >> GcXRfTe3eGOaxcqNSF8NKSMQQ8rzbKmsgsa5Cbf0PYToemn3xyPAr+9Nz8tbSrlR >> TrrFhzOR6+Ix0NcYJAKs6RUZ2kgbAheYF6nQmAHlJzyBihlfdfieJdysqNwSOQ8u >> c7CyBLNFrGKqYTDVQI36MUwoyVtEqbOjt3cPitsMsD3fVAf05H7dHp/0iqrUghUs >> 60HYOjfmvZxH5wvhEPdv/wPLAZeosdQgW8np3Y5cztw7cxZXF+PxoMjRcnXVpQ2c >> QIZg3RsiQmJtAT4Z2OuvYikqGzrpsVido0um/KMM9b82XilJExxPPzgEpXCK3CE8 >> 7TchzrRA/W27eST4VXoNYrrMlmpavur1IxvMS54fBOu98efTIoER6uJc1t7qcL6r >> mEVmBoMqecg+auuWqz50Bh8K329dlYuGLMbk/Ktc3agXtpkw88ylDmC6l5N7qrnL >> kSb4i3DboU7R1cltiin3c/P+ahwfKQdNH18QbN3utJuzSSRVvXq4laUGFlRhWEEx >> bLbbH2fh5bxDmDXDMdCF >> =LLtP >> -----END PGP SIGNATURE----- >> _______________________________________________ >> freebsd-announce@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-announce >> To unsubscribe, send any mail to >> "freebsd-announce-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org"