Date: Tue, 9 Aug 2016 08:53:06 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-current@freebsd.org Subject: Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0 Message-ID: <a70410b0-b0f2-927c-ef86-07ef73992a11@FreeBSD.org> In-Reply-To: <E1bWwhq-0003jI-4a@rmm6prod02.runbox.com> References: <E1bWwhq-0003jI-4a@rmm6prod02.runbox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--lHprRe2L34EuRuPj3ucTe7aeCeEn9miNv
Content-Type: multipart/mixed; boundary="kOcHjxRo1apcHqrgefAOlu7s1P0gVGrxi"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-current@freebsd.org
Message-ID: <a70410b0-b0f2-927c-ef86-07ef73992a11@FreeBSD.org>
Subject: Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in
12.0 and 11.0
References: <E1bWwhq-0003jI-4a@rmm6prod02.runbox.com>
In-Reply-To: <E1bWwhq-0003jI-4a@rmm6prod02.runbox.com>
--kOcHjxRo1apcHqrgefAOlu7s1P0gVGrxi
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 09/08/2016 03:23, Jeffrey Bouquet wrote:
> Will/could there be some kind of UPDATING announcement re which files
> explicitly to switch out/remove/replace/checkfor etc the deprecated
> lines and precisely the steps to replace with new or some other
> suitable action? Action required for both the sshd and client?
> Subdirectories involved? etc... Unclear here, but I don't use SSH
> hardly yet... despite having bought the book.
As far as managing sshd on your own systems, you should not need to make
massive changes to the /etc/ssh/sshd_config when upgrading to 11.0 or
12.0 -- the normal mergemaster or etcmerge procedures will probably
cover things. On an upgraded system, you will have still have
/etc/ssh/ssh_host_dsa_key{,.pub} but these will be ignored by sshd and
would not be generated on a new machine.
Optionally, you may choose to replace /etc/ssh/ssh_host_rsa_key{,.pub}
if that key has a short bit-length.
You may find that you get 'Key mismatch' warnings -- ssh may use a
different type of host key on connection to a machine after this update,
and it will alert you if this does not match what it has in
~/ssh/known-hosts from previous connections. If you're satisfied that
the warning is explained by this configuration change, then you can edit
known-hosts to eliminate the warning message.
As a ssh user, you will need to review the ssh keys you are using, and
what is listed in the ~/.ssh/authorized_keys files of any machines you
want to login to. You can add a new key of and alternate type in
parallel to your existing keys, and load multiple keys into ssh-agent --
this allows you to phase in a new key with minimal risk that you will
lock yourself out of a remote machine. Doing this *before* you upgrade
any systems is just common sense.
The default configuration of sshd provided with FreeBSD provides good
security and a good level of interoperability with other ssh
implementations, and you can use it with confidence. Depending on local
requirements you may want to impose a stricter policy. In that case,
the following references will be interesting to you:
https://wiki.mozilla.org/Security/Guidelines/OpenSSH
https://stribika.github.io/2015/01/04/secure-secure-shell.html
These are, however, rather more than most people will really find necessa=
ry.
Cheers,
Matthew
--kOcHjxRo1apcHqrgefAOlu7s1P0gVGrxi--
--lHprRe2L34EuRuPj3ucTe7aeCeEn9miNv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJXqYviXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATPH0P/RkHBxhZPfczqB3vDDI5Pyfy
jihquESPDkXafKNvo11//1Q8zMPmk6J5AtFlx0B8OO0MfXWGHLCoZwNWMFu5GOmp
FDkYx09RBVYFqHfATGVO352FTWcJQcDMga5eL7njMpMpqJa7+5fHZdBBRlqucs6p
H1JDWBqKAzXxbvQVZ1UPWWcNGnQdV9yqlenBA6BO8FYIQO3lozwyStb7m/VKJxH+
kSbWjQnnOymBm2XKzLDOIYMoFDmoLM3cKcYseW3hmM/hG+r36s/e0MCf39F8TSn0
5pA2fOJBPUOhtpu12nN+7iX4TSKeZRK9rXwdVTjwFmwobLVzGhEYdLpyiXmYauqW
2ty3c4kqWJkJdumiJyVgZnkewk2xI8bhTaz99mDThQyw98HCdK8r+RBB5lgM3PIQ
3RdeFjZSALChY9xBfT/LrlkJ5HKKziuEBaShvHvtkolvbz7lO+NxHmtbCXst9OD/
lkE+7844j4aZMcN6WVpOUYgSq9Q0Kob7BUjKLRHhKsalNWH1eFF+3jexHBHTwKlU
rS1lMRXhhlQz6MaV9xt357L1uq9fMiOLrLTMLuKQw7hoePhe7fPR7AZOUkJBJlwj
fSjjfTbTuKBmO/RHYj0nzwsiBP9mqFvKSAdGhlWrDPW6KUCRGW3pmCt8B/+1jzwX
gerbDF7wVFiaHBF+bnhS
=6Hy6
-----END PGP SIGNATURE-----
--lHprRe2L34EuRuPj3ucTe7aeCeEn9miNv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a70410b0-b0f2-927c-ef86-07ef73992a11>