27 lines
1.1 KiB
Text
27 lines
1.1 KiB
Text
Title: OpenSSH 7.0 disables ssh-dss keys by default
|
|
Author: Mike Frysinger <vapier@gentoo.org>
|
|
Content-Type: text/plain
|
|
Posted: 2015-08-13
|
|
Revision: 1
|
|
News-Item-Format: 1.0
|
|
Display-If-Installed: net-misc/openssh
|
|
|
|
Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has
|
|
been disabled by default at runtime due to their inherit weakness. If
|
|
you rely on these key types, you will have to take corrective action or
|
|
risk being locked out.
|
|
|
|
Your best option is to generate new keys using strong algos such as rsa
|
|
or ecdsa or ed25519. RSA keys will give you the greatest portability
|
|
with other clients/servers while ed25519 will get you the best security
|
|
with OpenSSH (but requires recent versions of client & server).
|
|
|
|
If you are stuck with DSA keys, you can re-enable support locally by
|
|
updating your sshd_config and ~/.ssh/config files with lines like so:
|
|
PubkeyAcceptedKeyTypes=+ssh-dss
|
|
|
|
Be aware though that eventually OpenSSH will drop support for DSA keys
|
|
entirely, so this is only a stop gap solution.
|
|
|
|
More details can be found on OpenSSH's website:
|
|
http://www.openssh.com/legacy.html
|