Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 25 Sep 2024 19:24:54 +0200
From:      =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org>
To:        Colin Percival <cperciva@tarsnap.com>
Cc:        Shawn Webb <shawn.webb@hardenedbsd.org>,  freebsd-arch@freebsd.org, Li-Wen Hsu <lwhsu@freebsd.org>,  Ronald Klop <ronald@freebsd.org>
Subject:   Re: Deprecating RSA ssh host keys in 16
Message-ID:  <868qvfy7bt.fsf@ltc.des.dev>
In-Reply-To: <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com> (Colin Percival's message of "Wed, 25 Sep 2024 15:19:15 %2B0000")
References:  <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> <wzyhp2k7fyvg6qxrkrs32uweiuijpv7f6sjjt2yuonob7py3gj@7f7xdqj72erk> <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Colin Percival <cperciva@tarsnap.com> writes:
> It's still a very helpful data point!  I've also had one response from
> someone with old IoT systems which only understand RSA host keys, so I
> think my proposed timeline of "warn people now that it will be disabled
> by default in 16" is the way to go.

Why is an IoT system making outbound ssh connections?  That's the only
way it would ever be aware of another system's host key.

Btw, I believe there is either a Bugzilla ticket or a Phabricator review
somewhere that makes the list of host key algorithms configurable (and
it's trivial to recreate if you can't find it).

Oh, and should we perhaps also disable (non-elliptic) DSA host keys?

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?868qvfy7bt.fsf>