Date: Wed, 19 Mar 2025 23:42:00 +0100 From: Christian Weisgerber <naddy@mips.inka.de> To: freebsd-security@freebsd.org Subject: Re: Heads-up: DSA key support being removed from OpenSSH Message-ID: <Z9tIOBjs2DgvBhy7@lorvorc.mips.inka.de> In-Reply-To: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> References: <CAPyFy2Dk0VoqLPSHxTLzBCWT_ouqU_kj4QNhN17VybMinbr6bA@mail.gmail.com> <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de>
index | next in thread | previous in thread | raw e-mail
Jan Bramkamp: > > This release, and its deactivation of DSA by default at compile-time, > > marks the second step in our timeline to finally deprecate DSA. The > > final step of removing DSA support entirely is planned for the first > > OpenSSH release of 2025. > > As long as it's "only" a compile-time option away for FreeBSD to enable this > flawed cipher I would like to have it compiled in by default so it doesn't If OpenSSH upstream stick to the published schedule, version 9.9 that is now in 13-STABLE/14-STABLE/15-CURRENT will be the _final_ release that even includes the DSA code. That has been announced for a year. There is going to be a new OpenSSH release soonish, to coincide with the as-clockwork OpenBSD release in spring. I see that the DSA code has not yet been removed from OpenBSD-current, but I don't know if that points to a reprieve or is simply an upcoming to-do item. > require installing SSH from ports to connect to some stupid old > router/switch/UPS/whatever over SSH. I feel your pain. Host sw0 sw1 sw2 KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-dss Ciphers +aes128-cbc # TP-Link JetStream switches drop the connection when offered an ECDSA key PreferredAuthentications keyboard-interactive,password Time to replace those switches, I guess... -- Christian "naddy" Weisgerber naddy@mips.inka.dehome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Z9tIOBjs2DgvBhy7>