Date: Wed, 25 Sep 2024 19:24:54 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org> To: Colin Percival <cperciva@tarsnap.com> Cc: Shawn Webb <shawn.webb@hardenedbsd.org>, freebsd-arch@freebsd.org, Li-Wen Hsu <lwhsu@freebsd.org>, Ronald Klop <ronald@freebsd.org> Subject: Re: Deprecating RSA ssh host keys in 16 Message-ID: <868qvfy7bt.fsf@ltc.des.dev> In-Reply-To: <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com> (Colin Percival's message of "Wed, 25 Sep 2024 15:19:15 %2B0000") References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> <wzyhp2k7fyvg6qxrkrs32uweiuijpv7f6sjjt2yuonob7py3gj@7f7xdqj72erk> <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Colin Percival <cperciva@tarsnap.com> writes: > It's still a very helpful data point! I've also had one response from > someone with old IoT systems which only understand RSA host keys, so I > think my proposed timeline of "warn people now that it will be disabled > by default in 16" is the way to go. Why is an IoT system making outbound ssh connections? That's the only way it would ever be aware of another system's host key. Btw, I believe there is either a Bugzilla ticket or a Phabricator review somewhere that makes the list of host key algorithms configurable (and it's trivial to recreate if you can't find it). Oh, and should we perhaps also disable (non-elliptic) DSA host keys? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?868qvfy7bt.fsf>