[gentoo-dev] [PATCH] 2021-10-08-openssh-rsa-sha1: add news item

[gentoo-dev] [PATCH] 2021-10-08-openssh-rsa-sha1: add news item

[Mike Gilbert]

Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
 .../2021-10-08-openssh-rsa-sha1.en.txt        | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt

diff --git a/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
new file mode 100644
index 0000000..cfdcc4a
--- /dev/null
+++ b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
@@ -0,0 +1,26 @@
+Title: OpenSSH RSA SHA-1 signatures
+Author: Mike Gilbert <floppym@gentoo.org>
+Posted: 2021-10-08
+Revision: 1
+News-Item-Format: 2.0
+Display-If-Installed: net-misc/openssh
+
+As of version 8.8, OpenSSH disables RSA signatures using the SHA-1
+hash algorithm by default. This change affects both the client and
+server components.
+
+After upgrading to this version, you may have trouble connecting to
+older SSH servers that do not support the newer RSA/SHA-256/SHA-512
+signatures. Support for these signatures was added in OpenSSH 7.2.
+
+As well, you may have trouble using older SSH clients to connect to a
+server running OpenSSH 8.8 or higher. Some older clients do not
+automatically utilize the newer hashes. For example, PuTTY before
+version 0.75 is affected.
+
+To resolve these problems, please upgrade your SSH client/server
+whereever possible. If this is not feasible, support for the SHA-1
+hashes may be re-enabled using the following config options:
+
+HostkeyAlgorithms +ssh-rsa
+PubkeyAcceptedAlgorithms +ssh-rsa
-- 
2.33.0

Re: [gentoo-dev] [PATCH] 2021-10-08-openssh-rsa-sha1: add news item

[Aaron W. Swenson]

[-- Attachment #1: Type: text/plain, Size: 2278 bytes --]


I think it may be helpful to include the specific file(s) those 
options
need to be added and to clarify whether they need to be added to 
the
server host or the clients.

Perhaps like so:

    hashes may be re-enabled on the server by adding the following 
    config
    options to the end of /etc/ssh/sshd_confg:



WKR,
Aaron

Mike Gilbert <floppym@gentoo.org> writes:

> Signed-off-by: Mike Gilbert <floppym@gentoo.org>
> ---
>  .../2021-10-08-openssh-rsa-sha1.en.txt        | 26 
>  +++++++++++++++++++
>  1 file changed, 26 insertions(+)
>  create mode 100644 
>  2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
>
> diff --git 
> a/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt 
> b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
> new file mode 100644
> index 0000000..cfdcc4a
> --- /dev/null
> +++ 
> b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
> @@ -0,0 +1,26 @@
> +Title: OpenSSH RSA SHA-1 signatures
> +Author: Mike Gilbert <floppym@gentoo.org>
> +Posted: 2021-10-08
> +Revision: 1
> +News-Item-Format: 2.0
> +Display-If-Installed: net-misc/openssh
> +
> +As of version 8.8, OpenSSH disables RSA signatures using the 
> SHA-1
> +hash algorithm by default. This change affects both the client 
> and
> +server components.
> +
> +After upgrading to this version, you may have trouble 
> connecting to
> +older SSH servers that do not support the newer 
> RSA/SHA-256/SHA-512
> +signatures. Support for these signatures was added in OpenSSH 
> 7.2.
> +
> +As well, you may have trouble using older SSH clients to 
> connect to a
> +server running OpenSSH 8.8 or higher. Some older clients do not
> +automatically utilize the newer hashes. For example, PuTTY 
> before
> +version 0.75 is affected.
> +
> +To resolve these problems, please upgrade your SSH 
> client/server
> +whereever possible. If this is not feasible, support for the 
> SHA-1
> +hashes may be re-enabled using the following config options:
> +
> +HostkeyAlgorithms +ssh-rsa
> +PubkeyAcceptedAlgorithms +ssh-rsa


-- 
Reservations and Reporting Technologist
Great Smoky Mountains Railroad
PO Box 1490
Bryson City, NC 28713
D: 828-488-7013
M: 800-872-4681 x 214
F: 828-488-0427
P: 9B32 F2A4 8C1F F4E0 1E23  CEEA 2153 C852 F779 174F

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 389 bytes --]

Re: [gentoo-dev] [PATCH] 2021-10-08-openssh-rsa-sha1: add news item

[Mike Gilbert]

On Tue, Oct 5, 2021 at 4:22 PM Aaron W. Swenson <titanofold@gentoo.org> wrote:
>
>
> I think it may be helpful to include the specific file(s) those
> options
> need to be added and to clarify whether they need to be added to
> the
> server host or the clients.
>
> Perhaps like so:
>
>     hashes may be re-enabled on the server by adding the following
>     config
>     options to the end of /etc/ssh/sshd_confg:

I considered something similar, but decided that I don't really want
to do that level of hand-holding.

Re-enabling ssh-rsa should be a seldom-used workaround. I feel like
people can read the manual if they really need to enable them. The
point of the news item is really to alert folks so they don't spend
hours scratching their heads over it.

Re: [gentoo-dev] [PATCH] 2021-10-08-openssh-rsa-sha1: add news item

[Sam James]

[-- Attachment #1: Type: text/plain, Size: 1010 bytes --]



> On 5 Oct 2021, at 18:43, Mike Gilbert <floppym@gentoo.org> wrote:
> 
> Signed-off-by: Mike Gilbert <floppym@gentoo.org>
> ---
> .../2021-10-08-openssh-rsa-sha1.en.txt        | 26 +++++++++++++++++++
> 1 file changed, 26 insertions(+)
> create mode 100644 2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
> 
> diff --git a/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
> new file mode 100644
> index 0000000..cfdcc4a
> --- /dev/null
> +++ b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
> @@ -0,0 +1,26 @@
> +Title: OpenSSH RSA SHA-1 signatures
> +Author: Mike Gilbert <floppym@gentoo.org>
> +Posted: 2021-10-08
> +Revision: 1
> +News-Item-Format: 2.0
> +Display-If-Installed: net-misc/openssh
> +
> +As of version 8.8, OpenSSH disables RSA signatures using the SHA-1
> +hash algorithm by default. This change affects both the client and
> +server components.

lgtm

[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

[gentoo-dev] Re: [PATCH] 2021-10-08-openssh-rsa-sha1: add news item

[David Seifert]

On Tue, 2021-10-05 at 13:43 -0400, Mike Gilbert wrote:
> Signed-off-by: Mike Gilbert <floppym@gentoo.org>
> ---
>  .../2021-10-08-openssh-rsa-sha1.en.txt        | 26
> +++++++++++++++++++
>  1 file changed, 26 insertions(+)
>  create mode 100644 2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-
> rsa-sha1.en.txt
> 
> diff --git a/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-
> sha1.en.txt b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-
> sha1.en.txt
> new file mode 100644
> index 0000000..cfdcc4a
> --- /dev/null
> +++ b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
> @@ -0,0 +1,26 @@
> +Title: OpenSSH RSA SHA-1 signatures
> +Author: Mike Gilbert <floppym@gentoo.org>
> +Posted: 2021-10-08
> +Revision: 1
> +News-Item-Format: 2.0
> +Display-If-Installed: net-misc/openssh
> +
> +As of version 8.8, OpenSSH disables RSA signatures using the SHA-1
> +hash algorithm by default. This change affects both the client and
> +server components.
> +
> +After upgrading to this version, you may have trouble connecting to
> +older SSH servers that do not support the newer RSA/SHA-256/SHA-512
> +signatures. Support for these signatures was added in OpenSSH 7.2.
> +
> +As well, you may have trouble using older SSH clients to connect to a
> +server running OpenSSH 8.8 or higher. Some older clients do not
> +automatically utilize the newer hashes. For example, PuTTY before
> +version 0.75 is affected.
> +
> +To resolve these problems, please upgrade your SSH client/server
> +whereever possible. If this is not feasible, support for the SHA-1
> +hashes may be re-enabled using the following config options:
> +
> +HostkeyAlgorithms +ssh-rsa
> +PubkeyAcceptedAlgorithms +ssh-rsa

ship it!