Jan Bramkamp: > > This release, and its deactivation of DSA by default at compile-time, > > marks the second step in our timeline to finally deprecate DSA. The > > final step of removing DSA support entirely is planned for the first > > OpenSSH release of 2025. > > As long as it's "only" a compile-time option away for FreeBSD to enable this > flawed cipher I would like to have it compiled in by default so it doesn't
If OpenSSH upstream stick to the published schedule, version 9.9 that is now in 13-STABLE/14-STABLE/15-CURRENT will be the _final_ release that even includes the DSA code. That has been announced for a year. There is going to be a new OpenSSH release soonish, to coincide with the as-clockwork OpenBSD release in spring. I see that the DSA code has not yet been removed from OpenBSD-current, but I don't know if that points to a reprieve or is simply an upcoming to-do item. > require installing SSH from ports to connect to some stupid old > router/switch/UPS/whatever over SSH. I feel your pain. Host sw0 sw1 sw2 KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-dss Ciphers +aes128-cbc # TP-Link JetStream switches drop the connection when offered an ECDSA key PreferredAuthentications keyboard-interactive,password Time to replace those switches, I guess... -- Christian "naddy" Weisgerber na...@mips.inka.de
