Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0

From: Devin Teske <dteske_at_freebsd.org>
Date: Mon, 8 Aug 2016 14:57:05 -0700
> On Aug 8, 2016, at 12:39 PM, Bernard Spil <bernard_at_bachfreund.nl> wrote:
> 
> Hi Devin,
> 
> This resource documents the choices pretty well I think
> https://stribika.github.io/2015/01/04/secure-secure-shell.html <https://stribika.github.io/2015/01/04/secure-secure-shell.html>
> Author has made some modifications up to Jan 2016
> https://github.com/stribika/stribika.github.io/commits/master/_posts/2015-01-04-secure-secure-shell.md <https://github.com/stribika/stribika.github.io/commits/master/_posts/2015-01-04-secure-secure-shell.md>
> 
> The short answer then is ed25519 or rsa4096, disable both dsa and ecdsa.
> 
> Even 6.5p1 shipped with 9.3 supports ed25519.
> 
> Cheers,
> 
> Bernard.
> 

Thanks for confirming, Bernard!
-- 
Cheers,
Devin


> On 2016-08-08 19:56, Devin Teske wrote:
>> Which would you use?
>> ECDSA?
>> https://en.wikipedia.org/wiki/Elliptic_curve_cryptography <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography>
>> <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography>>
>> "" In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover
>> operation", cryptography experts have also expressed concern over the
>> security of the NIST recommended elliptic curves,[31]
>> <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#cite_note-31 <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#cite_note-31>>
>> suggesting a return to encryption based on non-elliptic-curve groups.
>> ""
>> Or perhaps RSA? (as des_at_ recommends)
>> (not necessarily to Glen but anyone that wants to answer)
>> --
>> Devin
>>> On Aug 4, 2016, at 6:59 PM, Glen Barber <gjb_at_FreeBSD.org> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>> This is a heads-up that OpenSSH keys are deprecated upstream by OpenSSH,
>>> and will be deprecated effective 11.0-RELEASE (and preceeding RCs).
>>> Please see r303716 for details on the relevant commit, but upstream no
>>> longer considers them secure.  Please replace DSA keys with ECDSA or RSA
>>> keys as soon as possible, otherwise there will be issues when upgrading
>>> from 11.0-BETA4 to the subsequent 11.0 build, but most definitely the
>>> 11.0-RELEASE build.
>>> Glen
>>> On behalf of:	re_at_ and secteam_at_
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2
>>> iQIcBAEBCAAGBQJXo/L2AAoJEAMUWKVHj+KTG3sP/3j5PBVMBlYVVR+M4PUoRJjb
>>> kShIRFHzHUV9YzTIljtqOVf/f/mw3kRHA4fUonID5AJlo23ht9cwGOvGUi5H3lBK
>>> rnL9vsU9lvZoGyaHLpR/nikMOaRTa8bl1cdpULlEGH94HEzDuLT92AtAZ5HtdDEl
>>> GcXRfTe3eGOaxcqNSF8NKSMQQ8rzbKmsgsa5Cbf0PYToemn3xyPAr+9Nz8tbSrlR
>>> TrrFhzOR6+Ix0NcYJAKs6RUZ2kgbAheYF6nQmAHlJzyBihlfdfieJdysqNwSOQ8u
>>> c7CyBLNFrGKqYTDVQI36MUwoyVtEqbOjt3cPitsMsD3fVAf05H7dHp/0iqrUghUs
>>> 60HYOjfmvZxH5wvhEPdv/wPLAZeosdQgW8np3Y5cztw7cxZXF+PxoMjRcnXVpQ2c
>>> QIZg3RsiQmJtAT4Z2OuvYikqGzrpsVido0um/KMM9b82XilJExxPPzgEpXCK3CE8
>>> 7TchzrRA/W27eST4VXoNYrrMlmpavur1IxvMS54fBOu98efTIoER6uJc1t7qcL6r
>>> mEVmBoMqecg+auuWqz50Bh8K329dlYuGLMbk/Ktc3agXtpkw88ylDmC6l5N7qrnL
>>> kSb4i3DboU7R1cltiin3c/P+ahwfKQdNH18QbN3utJuzSSRVvXq4laUGFlRhWEEx
>>> bLbbH2fh5bxDmDXDMdCF
>>> =LLtP
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> freebsd-announce_at_freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-announce
>>> To unsubscribe, send any mail to "freebsd-announce-unsubscribe_at_freebsd.org"
>> _______________________________________________
>> freebsd-stable_at_freebsd.org <mailto:freebsd-stable_at_freebsd.org> mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-stable <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>
>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe_at_freebsd.org <mailto:freebsd-stable-unsubscribe_at_freebsd.org>"
Received on Mon Aug 08 2016 - 19:57:08 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:07 UTC