From owner-freebsd-current@freebsd.org Tue Aug 9 07:53:15 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3F69FBB30F3 for ; Tue, 9 Aug 2016 07:53:15 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D8C7715E2 for ; Tue, 9 Aug 2016 07:53:14 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (liminal.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3636:3bff:fed4:b0d6]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 1A98EC9E9 for ; Tue, 9 Aug 2016 07:53:11 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/1A98EC9E9; dkim=none; dkim-atps=neutral Subject: Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0 To: freebsd-current@freebsd.org References: From: Matthew Seaman Message-ID: Date: Tue, 9 Aug 2016 08:53:06 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="lHprRe2L34EuRuPj3ucTe7aeCeEn9miNv" X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2016 07:53:15 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --lHprRe2L34EuRuPj3ucTe7aeCeEn9miNv Content-Type: multipart/mixed; boundary="kOcHjxRo1apcHqrgefAOlu7s1P0gVGrxi" From: Matthew Seaman To: freebsd-current@freebsd.org Message-ID: Subject: Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0 References: In-Reply-To: --kOcHjxRo1apcHqrgefAOlu7s1P0gVGrxi Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 09/08/2016 03:23, Jeffrey Bouquet wrote: > Will/could there be some kind of UPDATING announcement re which files > explicitly to switch out/remove/replace/checkfor etc the deprecated > lines and precisely the steps to replace with new or some other > suitable action? Action required for both the sshd and client? > Subdirectories involved? etc... Unclear here, but I don't use SSH > hardly yet... despite having bought the book. As far as managing sshd on your own systems, you should not need to make massive changes to the /etc/ssh/sshd_config when upgrading to 11.0 or 12.0 -- the normal mergemaster or etcmerge procedures will probably cover things. On an upgraded system, you will have still have /etc/ssh/ssh_host_dsa_key{,.pub} but these will be ignored by sshd and would not be generated on a new machine. Optionally, you may choose to replace /etc/ssh/ssh_host_rsa_key{,.pub} if that key has a short bit-length. You may find that you get 'Key mismatch' warnings -- ssh may use a different type of host key on connection to a machine after this update, and it will alert you if this does not match what it has in ~/ssh/known-hosts from previous connections. If you're satisfied that the warning is explained by this configuration change, then you can edit known-hosts to eliminate the warning message. As a ssh user, you will need to review the ssh keys you are using, and what is listed in the ~/.ssh/authorized_keys files of any machines you want to login to. You can add a new key of and alternate type in parallel to your existing keys, and load multiple keys into ssh-agent -- this allows you to phase in a new key with minimal risk that you will lock yourself out of a remote machine. Doing this *before* you upgrade any systems is just common sense. The default configuration of sshd provided with FreeBSD provides good security and a good level of interoperability with other ssh implementations, and you can use it with confidence. Depending on local requirements you may want to impose a stricter policy. In that case, the following references will be interesting to you: https://wiki.mozilla.org/Security/Guidelines/OpenSSH https://stribika.github.io/2015/01/04/secure-secure-shell.html These are, however, rather more than most people will really find necessa= ry. Cheers, Matthew --kOcHjxRo1apcHqrgefAOlu7s1P0gVGrxi-- --lHprRe2L34EuRuPj3ucTe7aeCeEn9miNv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJXqYviXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATPH0P/RkHBxhZPfczqB3vDDI5Pyfy jihquESPDkXafKNvo11//1Q8zMPmk6J5AtFlx0B8OO0MfXWGHLCoZwNWMFu5GOmp FDkYx09RBVYFqHfATGVO352FTWcJQcDMga5eL7njMpMpqJa7+5fHZdBBRlqucs6p H1JDWBqKAzXxbvQVZ1UPWWcNGnQdV9yqlenBA6BO8FYIQO3lozwyStb7m/VKJxH+ kSbWjQnnOymBm2XKzLDOIYMoFDmoLM3cKcYseW3hmM/hG+r36s/e0MCf39F8TSn0 5pA2fOJBPUOhtpu12nN+7iX4TSKeZRK9rXwdVTjwFmwobLVzGhEYdLpyiXmYauqW 2ty3c4kqWJkJdumiJyVgZnkewk2xI8bhTaz99mDThQyw98HCdK8r+RBB5lgM3PIQ 3RdeFjZSALChY9xBfT/LrlkJ5HKKziuEBaShvHvtkolvbz7lO+NxHmtbCXst9OD/ lkE+7844j4aZMcN6WVpOUYgSq9Q0Kob7BUjKLRHhKsalNWH1eFF+3jexHBHTwKlU rS1lMRXhhlQz6MaV9xt357L1uq9fMiOLrLTMLuKQw7hoePhe7fPR7AZOUkJBJlwj fSjjfTbTuKBmO/RHYj0nzwsiBP9mqFvKSAdGhlWrDPW6KUCRGW3pmCt8B/+1jzwX gerbDF7wVFiaHBF+bnhS =6Hy6 -----END PGP SIGNATURE----- --lHprRe2L34EuRuPj3ucTe7aeCeEn9miNv--