openssh unix dev - Feb 2020 - Question about ssh-rsa deprecation notice (was: Announce: OpenSSH 8.2 released)

I am trying to understand the details of the deprecation notice.
Because I am getting people asking me questions.  And I don't know the
answer.  Therefore I am pushing the boulder uphill and asking here. :-)

Damien Miller wrote:
> Future deprecation notice
> ========================> 
> It is now possible[1] to perform chosen-prefix attacks against the
> SHA-1 algorithm for less than USD$50K. For this reason, we will be
> disabling the "ssh-rsa" public key signature algorithm by default
in a
> near-future release.
Clear enough.  "ssh-rsa" is being deprecated.  If we see
"ssh-rsa"
in our authorized_keys file we should migrate away from it.  Gotcha.
I assume this is for both user keys and for host keys so the same
would apply to the known_hosts file too.

  grep ssh-rsa ~/.ssh/authorized_keys && echo Deprecation Waring: Time
to upgrade!
> This algorithm is unfortunately still used widely despite the
> existence of better alternatives, being the only remaining public key
> signature algorithm specified by the original SSH RFCs.
> 
> The better alternatives include:
> 
>  * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
>    algorithms have the advantage of using the same key type as
>    "ssh-rsa" but use the safe SHA-2 hash algorithms. These have
been
>    supported since OpenSSH 7.2 and are already used by default if the
>    client and server support them.
Hmm...  "ssh-rsa" is okay if we are using other than SHA-1 signature
hashes.  Hmm...  But, but, but...  "ssh-rsa" is being deprecated!  As
stated just in the previous paragraph!  Cognitive Dissonance!

Could these statements be clarified for the poor feeble minded folks
like myself that are not deeply knowledgeable about the internals and
are looking for a way to know if we need to take action or do not need
to take action.  At least enough to answer the questions other users
are asking me about what this actually means and whether they need to
take action or not.

Thanks!
Bob

On 02/23/2020 01:06 AM, Bob Proulx wrote:
[...]
> Clear enough.  "ssh-rsa" is being deprecated.  If we see
"ssh-rsa"
> in our authorized_keys file we should migrate away from it.  Gotcha.
[...]
> Hmm...  "ssh-rsa" is okay if we are using other than SHA-1
signature
> hashes.  Hmm...  But, but, but...  "ssh-rsa" is being deprecated!
As
> stated just in the previous paragraph!  Cognitive Dissonance!
> 
> Could these statements be clarified for the poor feeble minded folks
[...]

I was confused in pretty much the same way - until I shoved a suitably
old RSA keypair onto a freshly installed machine and did an "ssh -vvv -i
$THE_OLD_PRIVKEY localhost":

[...]
> debug2: we sent a publickey packet, wait for reply
[...]
> debug3: sign_and_send_pubkey: signing using rsa-sha2-256
> debug3: send packet: type 50
> debug3: receive packet: type 52
> debug1: Authentication succeeded (publickey).
[...]

Then I ran "ssh-keygen -t rsa-sha2-256 ...", and lo:
> $ sed -e 's/ .* / ... /' .ssh/id_rsa.pub 
> ssh-rsa ... Jochen.Bern at Binect.de
My conclusion (pending smiting by the actual experts on this list ;-) :
An RSA *keypair* is *just* RSA until the moment it gets used, while a
*certificate* is *signed in its creation*, which pinpoints a hash
function *therein* once and for all; note how the up-to-date ssh-keygen
manpage gives a list of keywords for the "-t" option that includes
only
"rsa", and then continues to mention "rsa-sha2-256" and
"rsa-sha2-512"
*for certificate creation*.

(I'm nonetheless urging the local users to create new *RSA and ed25519*
keypairs on this occasion, the latter as a failsafe if some then
"olden-style RSA" should one day go the way of sudden blacklisting,
and
a new RSA keypair per my how-to so that they'll have one with *all
three* boosts to security (-b ... -a ... -m RFC4716).)

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
Robert-Koch-Stra?e 9
64331 Weiterstadt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4278 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200223/14b0ca46/attachment.p7s>

On Sat, Feb 22, 2020 at 05:06:29PM -0700, Bob Proulx
wrote:
> Damien Miller wrote:
> > Future deprecation notice
> > ========================> > 
> > It is now possible[1] to perform chosen-prefix attacks against the
> > SHA-1 algorithm for less than USD$50K. For this reason, we will be
> > disabling the "ssh-rsa" public key signature algorithm by
default in a
> > near-future release.
> 
> Clear enough.  "ssh-rsa" is being deprecated.  If we see
"ssh-rsa"
> in our authorized_keys file we should migrate away from it.  Gotcha.
> I assume this is for both user keys and for host keys so the same
> would apply to the known_hosts file too.
> 
>   grep ssh-rsa ~/.ssh/authorized_keys && echo Deprecation Waring:
Time to upgrade!
No, the deprecation notice is talking about the key signature algorithm,
not the key type.  SSH clients and servers agree a key signature
algorithm as part of their protocol negotiation.  For RSA keys, all of
"ssh-rsa", "rsa-sha2-256", and "rsa-sha2-512"
exist, using SHA-1,
SHA-256, and SHA-512 respectively as their hash algorithms.

Unfortunately, the string "ssh-rsa" is used as both a key type name in
authorized_keys and as a key signature algorithm name, which has caused
a good deal of confusion with this deprecation notice, but the two
aren't actually the same thing.

My understanding is (and more knowledgeable people should correct me if
I'm wrong) that this deprecation notice affects the following people:

 * Users of OpenSSH certificates (see the CERTIFICATES section in
   ssh-keygen(1)); these may need to arrange for certificates to be
   re-signed using a stronger signature algorithm.

 * Users who have explicitly specified "ssh-rsa" in
   CASignatureAlgorithms, HostbasedKeyTypes, HostbasedAcceptedKeyTypes,
   HostKeyAlgorithms, or PubkeyAcceptedKeyTypes in their client
   configuration files (~/.ssh/config or ssh_config); these need to
   ensure that at least one of "rsa-sha2-256" and
"rsa-sha2-512" is
   listed there as well.

 * Users connecting to old or poorly-configured servers that offer RSA
   host keys; in a future OpenSSH release, these may find that they need
   to configure "HostKeyAlgorithms +ssh-rsa" for those hosts in order
to
   connect.

 * Users of straightforward RSA public keys authenticating to old or
   poorly-configured servers; in a future OpenSSH release, these may
   find that they need to configure "PubkeyAcceptedKeyTypes +ssh-rsa"
   for those hosts in order to authenticate.

 * Operators of older server software; these may need to upgrade to
   support the "rsa-sha2-256" or "rsa-sha2-512" signature
algorithms.

 * Operators of OpenSSH servers who have explicitly specified
"ssh-rsa"
   in CASignatureAlgorithms, HostbasedAcceptedKeyTypes,
   HostKeyAlgorithms, or PubkeyAcceptedKeyTypes in sshd_config; these
   need to ensure that at least one of "rsa-sha2-256" and
"rsa-sha2-512"
   is listed there as well.

 * Developers of other SSH implementations; these may need to add
   support for the "rsa-sha2-256" and "rsa-sha2-512"
signature
   algorithms.

Users of straightforward RSA public keys authenticating to reasonably
modern and well-configured servers are not affected, and do not need to
generate new keys, change their configuration, or migrate to different
key types.

HTH,

-- 
Colin Watson                                       [cjwatson at debian.org]

Colin Watson wrote in
<20200223112808.GA22328 at riva.ucam.org>:
 |On Sat, Feb 22, 2020 at 05:06:29PM -0700, Bob Proulx wrote:
 |> Damien Miller wrote:
 |>> Future deprecation notice
 ...
 |No, the deprecation notice is talking about the key signature algorithm,
 |not the key type.  SSH clients and servers agree a key signature
 |algorithm as part of their protocol negotiation.  For RSA keys, all of
 |"ssh-rsa", "rsa-sha2-256", and "rsa-sha2-512"
exist, using SHA-1,
 |SHA-256, and SHA-512 respectively as their hash algorithms.
 |
 |Unfortunately, the string "ssh-rsa" is used as both a key type name
in
 |authorized_keys and as a key signature algorithm name, which has caused
 |a good deal of confusion with this deprecation notice, but the two
 |aren't actually the same thing.
 |
 |My understanding is (and more knowledgeable people should correct me if
 |I'm wrong) that this deprecation notice affects the following people:
 ...

Thank you for the above and the following list.  It does not
affect me really, as i used "HostKeyAlgorithms ssh-rsa" and
IdentityFile for the few hosts that use RSA (even exclusively,
like elder Solaris installations i have access to), but
i obviously did not really understand what the RSA change meant.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Colin Watson wrote:
> No, the deprecation notice is talking about the key signature algorithm,
> not the key type.  SSH clients and servers agree a key signature
> algorithm as part of their protocol negotiation.  For RSA keys, all of
> "ssh-rsa", "rsa-sha2-256", and "rsa-sha2-512"
exist, using SHA-1,
> SHA-256, and SHA-512 respectively as their hash algorithms.
Aha!  I was pretty sure the notice was not saying that a simple
reading of it made one think it was saying.
> Unfortunately, the string "ssh-rsa" is used as both a key type
name in
> authorized_keys and as a key signature algorithm name, which has caused
> a good deal of confusion with this deprecation notice, but the two
> aren't actually the same thing.
Thank you for the clarification.  Hopefully as future notices are
posted some of this expanded language could be included so as to help
out others from experiencing the same confusion as already experienced
here.  And I was happy to see that I was not the only one who was
experiencing it!  Thanks also to the others that responded too.
> My understanding is (and more knowledgeable people should correct me if
> I'm wrong) that this deprecation notice affects the following people:
Thank you for the expansive description of the effects of this
notice.  This greatly clears up the problems reading the original
notice.  Thank you for describing this in detail.  It is much appreciated!
> Users of straightforward RSA public keys authenticating to reasonably
> modern and well-configured servers are not affected, and do not need to
> generate new keys, change their configuration, or migrate to different
> key types.
Very good then!  That is the word that I will pass along.
> HTH,
Yes.  Very much so!

Thanks!
Bob