Date: Mon, 08 Aug 2016 21:39:48 +0200 From: Bernard Spil <bernard@bachfreund.nl> To: Devin Teske <dteske@freebsd.org> Cc: Glen Barber <gjb@freebsd.org>, FreeBSD Current <freebsd-current@freebsd.org>, freebsd-stable@freebsd.org, owner-freebsd-stable@freebsd.org Subject: Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0 Message-ID: <33cacfb7366727a725c477959a23e1a8@imap.brnrd.eu> In-Reply-To: <86CE9314-487D-4D63-8CE1-34F167765EC5@freebsd.org> References: <20160805015918.GI43509@FreeBSD.org> <86CE9314-487D-4D63-8CE1-34F167765EC5@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Devin, This resource documents the choices pretty well I think https://stribika.github.io/2015/01/04/secure-secure-shell.html Author has made some modifications up to Jan 2016 https://github.com/stribika/stribika.github.io/commits/master/_posts/2015-01-04-secure-secure-shell.md The short answer then is ed25519 or rsa4096, disable both dsa and ecdsa. Even 6.5p1 shipped with 9.3 supports ed25519. Cheers, Bernard. On 2016-08-08 19:56, Devin Teske wrote: > Which would you use? > > ECDSA? > > https://en.wikipedia.org/wiki/Elliptic_curve_cryptography > <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography>; > > "" In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover > operation", cryptography experts have also expressed concern over the > security of the NIST recommended elliptic curves,[31] > <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#cite_note-31>; > suggesting a return to encryption based on non-elliptic-curve groups. > "" > > Or perhaps RSA? (as des@ recommends) > > (not necessarily to Glen but anyone that wants to answer) > -- > Devin > > >> On Aug 4, 2016, at 6:59 PM, Glen Barber <gjb@FreeBSD.org> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> This is a heads-up that OpenSSH keys are deprecated upstream by >> OpenSSH, >> and will be deprecated effective 11.0-RELEASE (and preceeding RCs). >> >> Please see r303716 for details on the relevant commit, but upstream no >> longer considers them secure. Please replace DSA keys with ECDSA or >> RSA >> keys as soon as possible, otherwise there will be issues when >> upgrading >> from 11.0-BETA4 to the subsequent 11.0 build, but most definitely the >> 11.0-RELEASE build. >> >> Glen >> On behalf of: re@ and secteam@ >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2 >> >> iQIcBAEBCAAGBQJXo/L2AAoJEAMUWKVHj+KTG3sP/3j5PBVMBlYVVR+M4PUoRJjb >> kShIRFHzHUV9YzTIljtqOVf/f/mw3kRHA4fUonID5AJlo23ht9cwGOvGUi5H3lBK >> rnL9vsU9lvZoGyaHLpR/nikMOaRTa8bl1cdpULlEGH94HEzDuLT92AtAZ5HtdDEl >> GcXRfTe3eGOaxcqNSF8NKSMQQ8rzbKmsgsa5Cbf0PYToemn3xyPAr+9Nz8tbSrlR >> TrrFhzOR6+Ix0NcYJAKs6RUZ2kgbAheYF6nQmAHlJzyBihlfdfieJdysqNwSOQ8u >> c7CyBLNFrGKqYTDVQI36MUwoyVtEqbOjt3cPitsMsD3fVAf05H7dHp/0iqrUghUs >> 60HYOjfmvZxH5wvhEPdv/wPLAZeosdQgW8np3Y5cztw7cxZXF+PxoMjRcnXVpQ2c >> QIZg3RsiQmJtAT4Z2OuvYikqGzrpsVido0um/KMM9b82XilJExxPPzgEpXCK3CE8 >> 7TchzrRA/W27eST4VXoNYrrMlmpavur1IxvMS54fBOu98efTIoER6uJc1t7qcL6r >> mEVmBoMqecg+auuWqz50Bh8K329dlYuGLMbk/Ktc3agXtpkw88ylDmC6l5N7qrnL >> kSb4i3DboU7R1cltiin3c/P+ahwfKQdNH18QbN3utJuzSSRVvXq4laUGFlRhWEEx >> bLbbH2fh5bxDmDXDMdCF >> =LLtP >> -----END PGP SIGNATURE----- >> _______________________________________________ >> freebsd-announce@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-announce >> To unsubscribe, send any mail to >> "freebsd-announce-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33cacfb7366727a725c477959a23e1a8>