OpenSSH developer, Damien Miller, has announced plans to remove support for DSA keys from OpenSSH in the near future. His announcement describes the rationale, process, and proposed timeline.
The next release of OpenSSH (due around 2024/03) will make DSA optional at compile time, but still enable it by default. Users and downstream distributors of OpenSSH may use this option to explore the impact of DSA removal in their environments, or to hard-deprecate it early if they desire.
Around 2024/06, a release of OpenSSH will change this compile-time default to disable DSA. It may still be enabled by users/distributors if needed.
Finally, in the first OpenSSH release after 2025/01/01 the DSA code will be removed entirely.
In summary:
2024/01 - this announcement
2024/03 (estimated) - DSA compile-time optional, enabled by default
2024/06 (estimated) - DSA compile-time optional, *disabled* by default
2025/01 (estimated) - DSA is removed from OpenSSH
Very few will notice this change. However, for those few to whom this matters the effects are major.
Previously:
(2021) scp Will Be Replaced With sftp Soon
(2020) SHA-1 to be Disabled in OpenSSH and libssh
(2019) How SSH Key Shielding Works
(2016) Upgrade Your SSH Keys
(2014) OpenSSH No Longer has to Depend on OpenSSL
Related Stories
What has been planned for a long time now, prior to the infamous heartbleed fiasco of OpenSSL (which does not affect SSH at all), is now officially a reality - with the help of some recently adopted crypto from DJ Bernstein. OpenSSH now finally has a compile-time option to no longer depend on OpenSSL, the option `make OPENSSL=no` has now been introduced for a reduced-configuration OpenSSH to be built without OpenSSL.
The result would leave you with no legacy SSH-1 baggage at all, and on the SSH-2 front with only AES-CTR and chacha20+poly1305 ciphers, ECDH/curve25519 key exchange and Ed25519 public keys.
[Editor's Note: This appears to be very much a Work-in-Progress, so might not be available for your distro or via standard repositories.]
Arthur T Knackerbracket has found the following story:
Whether you're a software developer or a sysadmin, I bet you're using SSH keys. Pushing your commits to Github or managing your Unix systems, it's best practice to do this over SSH with public key authentication rather than passwords. However, as time flies, many of you are using older keys and not aware of the need to generate fresh ones to protect your privates much better. In this post I'll demonstrate how to transition to an Ed25519 key smoothly, why you would want this and show some tips and tricks on the way there.
If you've created your key more than about four years ago with the default options it's probably insecure (RSA < 2048 bits). Even worse, I've seen tweeps, colleagues and friends still using DSA keys (ssh-dss in OpenSSH format) recently. That's a key type similar to RSA, but limited to 1024 bits size and therefore recommended against for a long time. It's plainly insecure and refused for valid reasons in recent OpenSSH versions (see also the changelog for 7.0).
The sad thing about it is that I see posts on how to re-enable DSA key support rather than moving to a more secure type of key. Really, it's unwise to follow instructions to change the configuration for PubkeyAcceptedKeyTypes or HostKeyAlgorithms (host keys are for a later post). Instead, upgrade your keys!
Compare DSA with the technology of locks using keys like this one. You wouldn't want this type of key to unlock your front door, right?
List all your keys:
You're probably thinking... "I'm using my key for a long time, I don't want to change them everywhere now." Valid point, but you don't have to! It's good to know you can have multiple keys on your system and your SSH client will pick the right one for the right system automatically.
It's part of the SSH protocol that it can offer multiple keys and the server picks the one your client will have to prove it has possession of the private key by a challenge. See it in action adding some verbosity to the SSH connect command (-vvv). Also if you're using an SSH agent you can load multiple keys and it will discover them all. Easy as that.
On June 21, 2019, support for SSH key shielding was introduced into the OpenBSD tree, from which the OpenSSH releases are derived. SSH key shielding is a measure intended to protect private keys in RAM against attacks that abuse bugs in speculative execution that current CPUs exhibit.[0] This functionality has been part of OpenSSH since the 8.1 release. SSH private keys are now being held in memory in a shielded form; keys are only unshielded when they are used and re‐shielded as soon as they are no longer in active use. When a key is shielded, it is encrypted in memory with AES‐256‐CTR; this is how it works: [...]
https://xorhash.gitlab.io/xhblog/0010.html
Dangerous SHA-1 crypto function will die in SSH linking millions of computers:
Developers of two open source code libraries for Secure Shell—the protocol millions of computers use to create encrypted connections to each other—are retiring the SHA-1 hashing algorithm, four months after researchers piled a final nail in its coffin.
The moves, announced in release notes and a code update for OpenSSH and libssh respectively, mean that SHA-1 will no longer be a means for digitally signing encryption keys that prevent the monitoring or manipulating of data passing between two computers connected by SSH—the common abbreviation for Secure Shell. (Wednesday's release notes concerning SHA-1 deprecation in OpenSSH repeated word for word what developers put in February release notes, but few people seemed to notice the planned change until now.)
Cryptographic hash functions generate a long string of characters that are known as a hash digest. Theoretically, the digests are supposed to be unique for every file, message, or other input fed into the function. Practically speaking, digest collisions must be mathematically infeasible given the performance capabilities of available computing resources. In recent years, a host of software and services have stopped using SHA-1 after researchers demonstrated practical ways for attackers to forge digital signatures that use SHA-1. The unanimous agreement among experts is that it's no longer safe in almost all security contexts.
"Its a chainsaw in a nursery," security researcher Kenn White said of the hash function, which made its debut in 1995.
OpenSSH 8.8 has been released and with it comes a heads up that there will be major changes to how the scp utility operates, starting in one of the next releases. Specifically, scp has been retooled to use the SFTP protocol under the hood. This will leave most behavior unchanged and most times there will be no perceived difference. However, some scripts which make use of globbing might need minor adjustment to work properly in the future:
A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug- compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this.
(Score: 3, Informative) by VLM on Monday January 15, @04:43PM (2 children)
Note this is the old legacy DSA with short keys, NOT EdDSA or ECDSA
In the configs and options I believe you'll see legacy DSA named something like ssh-dss
Its rather unlikely if you generated all your host keys in the last decade that you even have access to a DSS key. I do remember them.
Also note the difference between "supports" and "uses". The standard sshd_config I install with Ansible at work(s) and home "supports" DSA keys if I have one in ~/.ssh/authorized_keys it'll now work; in a year it will no longer work. However my sshd (and ssh) config do not by default use DSA keys so I'm pretty sure I don't have any.
So "ssh -Q key" will list ssh-dss, but I'm not using it.
I would imagine this means in a year that "ssh-keygen -t ssh-dsa" will no longer work, not that it matters to most anyone. I'm mildly curious how long the default for ssh-keygen -t has been RSA. IIRC "a long time ago" it was DSA for software patent reasons.
I don't remember the difference between DSS and DSA. Something like DSA is the crypto algo itself and DSS is the wrapper protocol for DSA data, maybe. Old Stuff !!!!
(Score: 3, Interesting) by Anonymous Coward on Monday January 15, @04:57PM
DSS is the "Digital Signature Standard", specifically NIST FIPS-186.
Originally this only specified DSA (the "Digital Signature Algorithm") but later revisions of FIPS-186 expanded to include RSA and ECDSA, with the most recent (2023) adding EdDSA and (mostly) removing specification of DSA altogether.
(Score: 4, Informative) by canopic jug on Monday January 15, @05:11PM
I would imagine this means in a year that "ssh-keygen -t ssh-dsa" will no longer work, not that it matters to most anyone. I'm mildly curious how long the default for ssh-keygen -t has been RSA. IIRC "a long time ago" it was DSA for software patent reasons.
RSA has been the default a long time. The ssh-keygen utility has been using RSA keys as the default for at least 18 years, if I recall correctly, which is when I started paying attention. However, looking through the OpenSSH release notes [openssh.com], maybe the change happened around 3.1, give or take a few versions, since they adjusted the defaults then. It has recently upgrade from RSA to Ed25519 for the default. However, that said, RSA was released to the public domain [archive.org] in September of 2000 already. So that could mean as early as 2.3.
However, server keys included DSA up until a few years ago. Deprecation appears to have started around 8.9 which was in 2022.
Money is not free speech. Elections should not be auctions.