From owner-freebsd-current@freebsd.org  Tue Aug  9 02:45:03 2016
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B4235BB27BF
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Tue,  9 Aug 2016 02:45:03 +0000 (UTC)
 (envelope-from jbtakk@iherebuywisely.com)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 9EEA61A23
 for <freebsd-current@freebsd.org>; Tue,  9 Aug 2016 02:45:03 +0000 (UTC)
 (envelope-from jbtakk@iherebuywisely.com)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 9ABC6BB27BE; Tue,  9 Aug 2016 02:45:03 +0000 (UTC)
Delivered-To: current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 98185BB27BD
 for <current@mailman.ysv.freebsd.org>; Tue,  9 Aug 2016 02:45:03 +0000 (UTC)
 (envelope-from jbtakk@iherebuywisely.com)
Received: from aibo.runbox.com (aibo.runbox.com [91.220.196.211])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 5063D1A22
 for <current@freebsd.org>; Tue,  9 Aug 2016 02:45:03 +0000 (UTC)
 (envelope-from jbtakk@iherebuywisely.com)
Received: from [10.9.9.241] (helo=rmm6prod02.runbox.com)
 by bars.runbox.com with esmtp (Exim 4.71)
 (envelope-from <jbtakk@iherebuywisely.com>) id 1bWwhq-0002Zl-4r
 for current@freebsd.org; Tue, 09 Aug 2016 04:23:50 +0200
Received: from mail by rmm6prod02.runbox.com with local (Exim 4.76)
 (envelope-from <jbtakk@iherebuywisely.com>) id 1bWwhq-0003jI-4a
 for current@freebsd.org; Tue, 09 Aug 2016 04:23:50 +0200
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Received: from [Authenticated user (846156)] by runbox.com with http
 (RMM6); for <current@freebsd.org>; Tue, 09 Aug 2016 02:23:50 GMT
From: "Jeffrey Bouquet" <jbtakk@iherebuywisely.com>
Reply-To: jbtakk@iherebuywisely.com
To: "current" <current@freebsd.org>
Subject: Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated
 in 12.0 and 11.0
Date: Mon, 08 Aug 2016 19:23:50 -0700 (PDT)
X-Mailer: RMM6
In-Reply-To: <22DB6A66-B8E8-4C13-B3F8-A3B53213E220@freebsd.org>
Message-Id: <E1bWwhq-0003jI-4a@rmm6prod02.runbox.com>
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2016 02:45:03 -0000

Will/could there be some kind of UPDATING announcement re which files expli=
citly to=20
switch out/remove/replace/checkfor etc the deprecated lines and precisely t=
he steps
to replace with new or some other suitable action? Action required for both=
 the sshd and
client? Subdirectories involved? etc...  Unclear here, but I don't use SSH =
hardly yet...
despite having bought the book.

On Mon, 8 Aug 2016 14:57:05 -0700, Devin Teske <dteske@freebsd.org> wrote:

>=20
> > On Aug 8, 2016, at 12:39 PM, Bernard Spil <bernard@bachfreund.nl> wrote:
> >=20
> > Hi Devin,
> >=20
> > This resource documents the choices pretty well I think
> > https://stribika.github.io/2015/01/04/secure-secure-shell.html <https:/=
/stribika.github.io/2015/01/04/secure-secure-shell.html>
> > Author has made some modifications up to Jan 2016
> > https://github.com/stribika/stribika.github.io/commits/master/_posts/20=
15-01-04-secure-secure-shell.md <https://github.com/stribika/stribika.githu=
b.io/commits/master/_posts/2015-01-04-secure-secure-shell.md>
> >=20
> > The short answer then is ed25519 or rsa4096, disable both dsa and ecdsa.
> >=20
> > Even 6.5p1 shipped with 9.3 supports ed25519.
> >=20
> > Cheers,
> >=20
> > Bernard.
> >=20
>=20
> Thanks for confirming, Bernard!
> --=20
> Cheers,
> Devin
>=20
>=20
> > On 2016-08-08 19:56, Devin Teske wrote:
> >> Which would you use?
> >> ECDSA?
> >> https://en.wikipedia.org/wiki/Elliptic_curve_cryptography <https://en.=
wikipedia.org/wiki/Elliptic_curve_cryptography>
> >> <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography <https://en=
.wikipedia.org/wiki/Elliptic_curve_cryptography>>
> >> "" In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover
> >> operation", cryptography experts have also expressed concern over the
> >> security of the NIST recommended elliptic curves,[31]
> >> <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#cite_note-3=
1 <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#cite_note-31>>
> >> suggesting a return to encryption based on non-elliptic-curve groups.
> >> ""
> >> Or perhaps RSA? (as des@ recommends)
> >> (not necessarily to Glen but anyone that wants to answer)
> >> --
> >> Devin
> >>> On Aug 4, 2016, at 6:59 PM, Glen Barber <gjb@FreeBSD.org> wrote:
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA256
> >>> This is a heads-up that OpenSSH keys are deprecated upstream by OpenS=
SH,
> >>> and will be deprecated effective 11.0-RELEASE (and preceeding RCs).
> >>> Please see r303716 for details on the relevant commit, but upstream no
> >>> longer considers them secure.  Please replace DSA keys with ECDSA or =
RSA
> >>> keys as soon as possible, otherwise there will be issues when upgradi=
ng
> >>> from 11.0-BETA4 to the subsequent 11.0 build, but most definitely the
> >>> 11.0-RELEASE build.
> >>> Glen
> >>> On behalf of:	re@ and secteam@
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG v2
> >>> iQIcBAEBCAAGBQJXo/L2AAoJEAMUWKVHj+KTG3sP/3j5PBVMBlYVVR+M4PUoRJjb
> >>> kShIRFHzHUV9YzTIljtqOVf/f/mw3kRHA4fUonID5AJlo23ht9cwGOvGUi5H3lBK
> >>> rnL9vsU9lvZoGyaHLpR/nikMOaRTa8bl1cdpULlEGH94HEzDuLT92AtAZ5HtdDEl
> >>> GcXRfTe3eGOaxcqNSF8NKSMQQ8rzbKmsgsa5Cbf0PYToemn3xyPAr+9Nz8tbSrlR
> >>> TrrFhzOR6+Ix0NcYJAKs6RUZ2kgbAheYF6nQmAHlJzyBihlfdfieJdysqNwSOQ8u
> >>> c7CyBLNFrGKqYTDVQI36MUwoyVtEqbOjt3cPitsMsD3fVAf05H7dHp/0iqrUghUs
> >>> 60HYOjfmvZxH5wvhEPdv/wPLAZeosdQgW8np3Y5cztw7cxZXF+PxoMjRcnXVpQ2c
> >>> QIZg3RsiQmJtAT4Z2OuvYikqGzrpsVido0um/KMM9b82XilJExxPPzgEpXCK3CE8
> >>> 7TchzrRA/W27eST4VXoNYrrMlmpavur1IxvMS54fBOu98efTIoER6uJc1t7qcL6r
> >>> mEVmBoMqecg+auuWqz50Bh8K329dlYuGLMbk/Ktc3agXtpkw88ylDmC6l5N7qrnL
> >>> kSb4i3DboU7R1cltiin3c/P+ahwfKQdNH18QbN3utJuzSSRVvXq4laUGFlRhWEEx
> >>> bLbbH2fh5bxDmDXDMdCF
> >>> =3DLLtP
> >>> -----END PGP SIGNATURE-----
> >>> _______________________________________________
> >>> freebsd-announce@freebsd.org mailing list
> >>> https://lists.freebsd.org/mailman/listinfo/freebsd-announce
> >>> To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebs=
d.org"
> >> _______________________________________________
> >> freebsd-stable@freebsd.org <mailto:freebsd-stable@freebsd.org> mailing=
 list
> >> https://lists.freebsd.org/mailman/listinfo/freebsd-stable <https://lis=
ts.freebsd.org/mailman/listinfo/freebsd-stable>
> >> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.o=
rg <mailto:freebsd-stable-unsubscribe@freebsd.org>"
>=20
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"