Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use RSA host keys instead of DSA #485

Merged
merged 1 commit into from Nov 9, 2016

Conversation

Projects
None yet
2 participants
@tjdett
Copy link
Contributor

tjdett commented Oct 13, 2016

OpenSSH 7.x deprecated DSA keys, requiring them now to be explicitly allowed via the "HostKeyAlgorithms" option. For more info, see:
https://www.openssh.com/releasenotes.html#7.0
http://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys

As the SSH daemon most often will be used on localhost, it will often be used with the OpenSSH client. The slow upgrade process of enterprise distros has left OpenSSH on 6.x, but this has already changed for Ubuntu 16.04 LTS, and the next versions of Debian & RHEL will be 7.x too.

This patch resolves this problem by replacing DSA with RSA (which has wider compatibility than elliptic curve) for key generation.

Tests have also been modified so the client only uses host key algorithms that both appear in the JSch supported algorithms list and OpenSSH 7 default HostKeyAlgorithms list.

Use RSA host keys instead of DSA
OpenSSH 7.x deprecated DSA keys, requiring them now to be explicitly
allowed via the "HostKeyAlgorithms" option. For more info, see:
https://www.openssh.com/releasenotes.html#7.0
http://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys

Tests have been modified so client only uses keys that both appear in
the JSch supported algorithms list and OpenSSH 7 default
HostKeyAlgorithms list.
@lihaoyi

This comment has been minimized.

Copy link
Owner

lihaoyi commented Nov 9, 2016

Looks fine to me i guess

@lihaoyi lihaoyi merged commit 6993be5 into lihaoyi:master Nov 9, 2016

2 checks passed

continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@tjdett tjdett deleted the dit4c:no-dsa-host-keys branch Nov 25, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.