Date: Mon, 08 Aug 2016 19:23:50 -0700 (PDT) From: "Jeffrey Bouquet" <jbtakk@iherebuywisely.com> To: "current" <current@freebsd.org> Subject: Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0 Message-ID: <E1bWwhq-0003jI-4a@rmm6prod02.runbox.com> In-Reply-To: <22DB6A66-B8E8-4C13-B3F8-A3B53213E220@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Will/could there be some kind of UPDATING announcement re which files expli= citly to=20 switch out/remove/replace/checkfor etc the deprecated lines and precisely t= he steps to replace with new or some other suitable action? Action required for both= the sshd and client? Subdirectories involved? etc... Unclear here, but I don't use SSH = hardly yet... despite having bought the book. On Mon, 8 Aug 2016 14:57:05 -0700, Devin Teske <dteske@freebsd.org> wrote: >=20 > > On Aug 8, 2016, at 12:39 PM, Bernard Spil <bernard@bachfreund.nl> wrote: > >=20 > > Hi Devin, > >=20 > > This resource documents the choices pretty well I think > > https://stribika.github.io/2015/01/04/secure-secure-shell.html <https:/= /stribika.github.io/2015/01/04/secure-secure-shell.html> > > Author has made some modifications up to Jan 2016 > > https://github.com/stribika/stribika.github.io/commits/master/_posts/20= 15-01-04-secure-secure-shell.md <https://github.com/stribika/stribika.githu= b.io/commits/master/_posts/2015-01-04-secure-secure-shell.md> > >=20 > > The short answer then is ed25519 or rsa4096, disable both dsa and ecdsa. > >=20 > > Even 6.5p1 shipped with 9.3 supports ed25519. > >=20 > > Cheers, > >=20 > > Bernard. > >=20 >=20 > Thanks for confirming, Bernard! > --=20 > Cheers, > Devin >=20 >=20 > > On 2016-08-08 19:56, Devin Teske wrote: > >> Which would you use? > >> ECDSA? > >> https://en.wikipedia.org/wiki/Elliptic_curve_cryptography <https://en.= wikipedia.org/wiki/Elliptic_curve_cryptography> > >> <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography <https://en= .wikipedia.org/wiki/Elliptic_curve_cryptography>> > >> "" In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover > >> operation", cryptography experts have also expressed concern over the > >> security of the NIST recommended elliptic curves,[31] > >> <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#cite_note-3= 1 <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#cite_note-31>>; > >> suggesting a return to encryption based on non-elliptic-curve groups. > >> "" > >> Or perhaps RSA? (as des@ recommends) > >> (not necessarily to Glen but anyone that wants to answer) > >> -- > >> Devin > >>> On Aug 4, 2016, at 6:59 PM, Glen Barber <gjb@FreeBSD.org> wrote: > >>> -----BEGIN PGP SIGNED MESSAGE----- > >>> Hash: SHA256 > >>> This is a heads-up that OpenSSH keys are deprecated upstream by OpenS= SH, > >>> and will be deprecated effective 11.0-RELEASE (and preceeding RCs). > >>> Please see r303716 for details on the relevant commit, but upstream no > >>> longer considers them secure. Please replace DSA keys with ECDSA or = RSA > >>> keys as soon as possible, otherwise there will be issues when upgradi= ng > >>> from 11.0-BETA4 to the subsequent 11.0 build, but most definitely the > >>> 11.0-RELEASE build. > >>> Glen > >>> On behalf of: re@ and secteam@ > >>> -----BEGIN PGP SIGNATURE----- > >>> Version: GnuPG v2 > >>> iQIcBAEBCAAGBQJXo/L2AAoJEAMUWKVHj+KTG3sP/3j5PBVMBlYVVR+M4PUoRJjb > >>> kShIRFHzHUV9YzTIljtqOVf/f/mw3kRHA4fUonID5AJlo23ht9cwGOvGUi5H3lBK > >>> rnL9vsU9lvZoGyaHLpR/nikMOaRTa8bl1cdpULlEGH94HEzDuLT92AtAZ5HtdDEl > >>> GcXRfTe3eGOaxcqNSF8NKSMQQ8rzbKmsgsa5Cbf0PYToemn3xyPAr+9Nz8tbSrlR > >>> TrrFhzOR6+Ix0NcYJAKs6RUZ2kgbAheYF6nQmAHlJzyBihlfdfieJdysqNwSOQ8u > >>> c7CyBLNFrGKqYTDVQI36MUwoyVtEqbOjt3cPitsMsD3fVAf05H7dHp/0iqrUghUs > >>> 60HYOjfmvZxH5wvhEPdv/wPLAZeosdQgW8np3Y5cztw7cxZXF+PxoMjRcnXVpQ2c > >>> QIZg3RsiQmJtAT4Z2OuvYikqGzrpsVido0um/KMM9b82XilJExxPPzgEpXCK3CE8 > >>> 7TchzrRA/W27eST4VXoNYrrMlmpavur1IxvMS54fBOu98efTIoER6uJc1t7qcL6r > >>> mEVmBoMqecg+auuWqz50Bh8K329dlYuGLMbk/Ktc3agXtpkw88ylDmC6l5N7qrnL > >>> kSb4i3DboU7R1cltiin3c/P+ahwfKQdNH18QbN3utJuzSSRVvXq4laUGFlRhWEEx > >>> bLbbH2fh5bxDmDXDMdCF > >>> =3DLLtP > >>> -----END PGP SIGNATURE----- > >>> _______________________________________________ > >>> freebsd-announce@freebsd.org mailing list > >>> https://lists.freebsd.org/mailman/listinfo/freebsd-announce > >>> To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebs= d.org" > >> _______________________________________________ > >> freebsd-stable@freebsd.org <mailto:freebsd-stable@freebsd.org> mailing= list > >> https://lists.freebsd.org/mailman/listinfo/freebsd-stable <https://lis= ts.freebsd.org/mailman/listinfo/freebsd-stable> > >> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.o= rg <mailto:freebsd-stable-unsubscribe@freebsd.org>" >=20 > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1bWwhq-0003jI-4a>