Segher Boessenkool via cfarm-users <cfarm-users@lists.tetaneutral.net> writes:
> On Thu, Dec 14, 2023 at 01:22:28AM -0300, Alexandre Oliva via cfarm-users
> wrote:
>> On Dec 13, 2023, Jacob Bachmeyer <jcb62...@gmail.com> wrote:
>> > This is a pet peeve of mine: unless you have a citation for an actual
>> > viable attack on RSA as used in SSH, or perhaps on the protocol SSH
>> > uses for RSA-based authentication
>>
>> AFAIK, ssh-rsa relies on SHA1 and SHA1 is weakening. Labeling it as
>> 'insecure', like I did, was probably an exaggeration, but there seems to
>> be good reason to phase it out proactively rather than reactively.
>
> Exactly. And this wouldn't endanger your keys, in the worst case your
> connections to these old machines could be eavesdropped, or very maybe
> even taken over. So enabling these older protocols for machines that
> run older software and so do not support newer, better protocols should
> be fine for almost everyone.
> Maybe add a comment to your .ssh/config to that effect ;-)
Right. I have:
Host gcc211.fsffrance.org
IdentityFile .ssh/id_gccfarm
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
... in my ~/.ssh/config (which hasn't been updated in a bit). You can
do a similar thing.
The separate key here was done because I use an EC key.
The above should let you 'locally' enable the RSA algorithms.
>
>
> Segher
> _______________________________________________
> cfarm-users mailing list
> cfarm-users@lists.tetaneutral.net
> https://lists.tetaneutral.net/listinfo/cfarm-users
--
Arsen Arsenović
signature.asc
Description: PGP signature
_______________________________________________ cfarm-users mailing list cfarm-users@lists.tetaneutral.net https://lists.tetaneutral.net/listinfo/cfarm-users
