Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SSH dropping support for DSA
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
grant123
Veteran
Veteran


Joined: 23 Mar 2005
Posts: 1080

PostPosted: Fri Aug 14, 2015 3:30 pm    Post subject: SSH dropping support for DSA Reply with quote

How can I check to see what type of SSH keys I'm using and switch to ed25519?


Code:
# eselect news read 33
2015-08-13-openssh-weak-keys
  Title                     OpenSSH 7.0 disables ssh-dss keys by default
  Author                    Mike Frysinger <vapier@gentoo.org>
  Posted                    2015-08-13
  Revision                  1

Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has
been disabled by default at runtime due to their inherit weakness.  If
you rely on these key types, you will have to take corrective action or
risk being locked out.

Your best option is to generate new keys using strong algos such as rsa
or ecdsa or ed25519.  RSA keys will give you the greatest portability
with other clients/servers while ed25519 will get you the best security
with OpenSSH (but requires recent versions of client & server).

If you are stuck with DSA keys, you can re-enable support locally by
updating your sshd_config and ~/.ssh/config files with lines like so:
   PubkeyAcceptedKeyTypes=+ssh-dss

Be aware though that eventually OpenSSH will drop support for DSA keys
entirely, so this is only a stop gap solution.

More details can be found on OpenSSH's website:
   http://www.openssh.com/legacy.html
Back to top
View user's profile Send private message
YetiBarBar
Guru
Guru


Joined: 23 Dec 2005
Posts: 532

PostPosted: Fri Aug 14, 2015 7:01 pm    Post subject: Reply with quote

Default id file is named by ssh using the scheme:
Code:
id_protocol

For example, I have two file in my ~/.ssh folder : id_rsa and id_ed22519
Another way to check this is to read the associated pub key.

Code:
me @ home (20:54) % cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwT8HiKDIrPSLmxQT+zGtJZmLRDITEP0ZUyoYZY4JxWhLvIYUNVHy+As1DtYkUb6RPi0DgebccmblyktEjhobtG8w5k+B3Meoba3URUXHArhnJJTijhPgIEHkoQNjaNqloxdV2R/zsoha8h9E0Ae/UBU1rfJ8IoKqxZJhXx9y9a0u0dcClFA8WAtTxZiOzrukzMPTt7cRQccs7P6zR4POYwktuQQ4g5/Y2Pk0QEa50G4s3oI41p0OWPMK7F5FUSrRxhoKuJWfUfHyI+imbD1OmDJjUEfGEUG+0fszUSjKTXOOXMiFHfXYZwOlG9voXPj2hY+Jx2mXcZaQtSvPGCJo3 me@home


Code:
me @ home (20:54) % cat ~/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGCXOQAJ6+V6FBZVVvNsED9WZF3V6+2ZCzPtBDWf3032 me@home


To generate a new key using ed22519 :
Code:
ssh-keygen -t ed25519
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum