Displaying 20 results from an estimated 8000 matches similar to: "Future deprecation of ssh-rsa"
2020 Oct 21
2
Future deprecation of ssh-rsa
I've expressed several concerns with enabling UpdateHostKeys by default,
none of which were even commented on, so this topic seems to not be in
any way open for discussion, but I'll still add one more thing here.
Peter Stuge wrote:
> Subject: Re: UpdateHostkeys now enabled by default
> Date: Mon, 5 Oct 2020 11:22:29 +0000
..
> I do not disagree with progressive key management, we
2016 Dec 23
5
[Bug 2650] New: UpdateHostKeys ignores RSA keys if HostKeyAlgorithms=rsa-sha2-256
https://bugzilla.mindrot.org/show_bug.cgi?id=2650
Bug ID: 2650
Summary: UpdateHostKeys ignores RSA keys if
HostKeyAlgorithms=rsa-sha2-256
Product: Portable OpenSSH
Version: 7.4p1
Hardware: All
OS: All
Status: NEW
Severity: trivial
Priority: P5
Component: ssh
2020 Feb 23
4
Question about ssh-rsa deprecation notice (was: Announce: OpenSSH 8.2 released)
I am trying to understand the details of the deprecation notice.
Because I am getting people asking me questions. And I don't know the
answer. Therefore I am pushing the boulder uphill and asking here. :-)
Damien Miller wrote:
> Future deprecation notice
> =========================
>
> It is now possible[1] to perform chosen-prefix attacks against the
> SHA-1 algorithm for
2017 Apr 04
3
Allow SHA1 deprecation for rsa-sha
Hi,
Following the fix [1] being released on 7.5, now SHA2 RSA signature
methods work properly.
On the other hand it is still not possible to disable SHA1 RSA alone
(as an example, as SHA2-256 or SHA2-512 could also potentially be not
desirable), where it is considered insecure or undesirable.
I am proposing to add a mechanism, and happy to submit a patch, to
enable selection of the Hashes
2017 Apr 05
3
Allow SHA1 deprecation for rsa-sha
On Wed, 5 Apr 2017, Jakub Jelen wrote:
> Disabling SHA-1 for signatures sounds like a good idea these days (and was the
> main reason why the extension created if I read it right [1]).
> This leaves me confused if the use case without SHA1 was missed from the draft
> or it was left as an implementation detail, that was not implemented in
> OpenSSH.
The reasons we didn't
2017 Jan 26
4
Server accepts key: pkalg rsa-sha2-512 vs ssh-rsa
Hi,
I'm doing some test with a pkcs11 token that can only sign short messages.
When connecting to one server, that reports pkalg rsa-sha2-512 blen
151, it fails to sign the pubkey because it is 83 bytes long. (sshd:
OpenSSH_7.3p1)
A older server that reports pkalg ssh-rsa blen 151, works perfectly as
the pubkey signature required is only 35 bytes long. (sshd:
OpenSSH_6.7p1)
I am not sure
2020 Jun 01
3
"ssh -Q key" does not list rsa-sha2 algorithms
With the upcoming deprecation of ssh-rsa I was trying to see what keys my
version of OpenSSH ( 7.8p1 ) supports. I noticed that "ssh -Q key" does not
actually list the suggested algorithms to transition to ( rsa-sha2-256 and
rsa-sha2-512 ) even though they are supported. Looking through the code, it
looks like an issue with the arguments passed to sshkey_alg_list in ssh.c
where it should
2020 Jun 01
5
"ssh -Q key" does not list rsa-sha2 algorithms
On Tue, 2 Jun 2020 at 06:12, Christian Weisgerber <naddy at mips.inka.de> wrote
> On 2020-06-01, Ethan Rahn <ethan.rahn at gmail.com> wrote:
>
> > With the upcoming deprecation of ssh-rsa I was trying to see what keys my
> > version of OpenSSH ( 7.8p1 ) supports. I noticed that "ssh -Q key" does not
> > actually list the suggested algorithms to
2020 Feb 05
19
Call for testing: OpenSSH 8.2
Hi,
OpenSSH 8.2p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a feature release.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via git using the
instructions at
2018 Nov 01
8
[Bug 2924] New: Order a limited host keys list in client based on the known hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2924
Bug ID: 2924
Summary: Order a limited host keys list in client based on the
known hosts
Product: Portable OpenSSH
Version: 7.7p1
Hardware: Other
OS: Linux
Status: NEW
Keywords: patch
Severity: enhancement
Priority:
2017 Feb 17
11
[Bug 2680] New: Regression in server-sig-algs offer in 7.4p1 (Deprecation of SHA1 is not being enforced)
https://bugzilla.mindrot.org/show_bug.cgi?id=2680
Bug ID: 2680
Summary: Regression in server-sig-algs offer in 7.4p1
(Deprecation of SHA1 is not being enforced)
Product: Portable OpenSSH
Version: 7.4p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
2015 Feb 20
3
SUCCESS: OpenSSH_6.7p1-snap20150220
Compiled OK, and operating nicely on CentOS 6.6, both 32/64 bit.
Really appreciate the UpdateHostkeys feature!
One issue I noticed, the screen output gets garbled if the user has been "asked" to "Accept" the new hostkeys.
Looks like the screen output is missing the CR's, and only LF's get presented.
[root at be2 .ssh]# ssh be1 ls -l
Warning: Permanently added
2018 Oct 10
2
no mutual signature algorithm with RSA user certs client 7.8, server 7.4
Hi,
One of our users who is running an OS (I think it's the latest beta
macOS 10.14.1) with ssh version "OpenSSH_7.8p1, LibreSSL 2.7.3" is
unable to use our user SSH RSA certificates to authenticate to our
servers (which are running "OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan
2017").
We see this error on the client side:
debug1: kex_input_ext_info:
2017 Mar 14
5
Call for testing: OpenSSH 7.5p1
Hi,
OpenSSH 7.5p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via git using the
instructions at
2024 Nov 23
2
[PATCH] sshsig: check hashalg before selecting the RSA signature algorithm
Hi,
I sent this patch back inn april and I still have a need for this. Would it be
possible to get any pointers how we can have `hashalg` selectable by `ssh-keygen -Y`?
--
Morten Linderud
PGP: 9C02FF419FECBE16
On Thu, Apr 11, 2024 at 09:16:39PM +0200, Morten Linderud wrote:
> `ssh-keygen -Y sign` only selects the signing algorithm `rsa-sha2-512`
> and this prevents ssh-agent
2020 Feb 14
2
Announce: OpenSSH 8.2 released
OpenSSH 8.2 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested
2020 Feb 14
2
Announce: OpenSSH 8.2 released
OpenSSH 8.2 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested
2024 Nov 23
1
[PATCH] sshsig: check hashalg before selecting the RSA signature algorithm
There is no hash algorithm associated with SSH keys. The key format for RSA keys is always ?ssh-rsa?, and it is capable of being used with any of the available signature algorithms (ssh-rsa for SHA-1 and rsa-sha2-256 or rsa-sha2-512 for SHA-2).
See section 3 in https://www.rfc-editor.org/rfc/rfc8332:
rsa-sha2-256 RECOMMENDED sign Raw RSA key
rsa-sha2-512 OPTIONAL
2020 Sep 26
18
[Bug 3213] New: openssh 8.3p1 will not use any type of RSA key for legacy servers if ssh-rsa is not in PubkeyAcceptedKeyTypes
https://bugzilla.mindrot.org/show_bug.cgi?id=3213
Bug ID: 3213
Summary: openssh 8.3p1 will not use any type of RSA key for
legacy servers if ssh-rsa is not in
PubkeyAcceptedKeyTypes
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
2017 Jul 21
15
[Bug 2746] New: RFE: Allow to disable SHA1 signatures for RSA
https://bugzilla.mindrot.org/show_bug.cgi?id=2746
Bug ID: 2746
Summary: RFE: Allow to disable SHA1 signatures for RSA
Product: Portable OpenSSH
Version: 7.5p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at