Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0

Mon, 08 Aug 2016 12:49:22 -0700 

Hi Devin,

This resource documents the choices pretty well I think
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Author has made some modifications up to Jan 2016
https://github.com/stribika/stribika.github.io/commits/master/_posts/2015-01-04-secure-secure-shell.md

The short answer then is ed25519 or rsa4096, disable both dsa and ecdsa.

Even 6.5p1 shipped with 9.3 supports ed25519.

Cheers,

Bernard.

On 2016-08-08 19:56, Devin Teske wrote:

Which would you use?

ECDSA?

https://en.wikipedia.org/wiki/Elliptic_curve_cryptography
<https://en.wikipedia.org/wiki/Elliptic_curve_cryptography>

"" In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover
operation", cryptography experts have also expressed concern over the
security of the NIST recommended elliptic curves,[31]
<https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#cite_note-31>
suggesting a return to encryption based on non-elliptic-curve groups.
""

Or perhaps RSA? (as des@ recommends)

(not necessarily to Glen but anyone that wants to answer)
--
Devin



On Aug 4, 2016, at 6:59 PM, Glen Barber <g...@freebsd.org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
This is a heads-up that OpenSSH keys are deprecated upstream by OpenSSH, 
and will be deprecated effective 11.0-RELEASE (and preceeding RCs).

Please see r303716 for details on the relevant commit, but upstream no
longer considers them secure. Please replace DSA keys with ECDSA or RSA keys as soon as possible, otherwise there will be issues when upgrading 
from 11.0-BETA4 to the subsequent 11.0 build, but most definitely the
11.0-RELEASE build.

Glen
On behalf of:   re@ and secteam@

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXo/L2AAoJEAMUWKVHj+KTG3sP/3j5PBVMBlYVVR+M4PUoRJjb
kShIRFHzHUV9YzTIljtqOVf/f/mw3kRHA4fUonID5AJlo23ht9cwGOvGUi5H3lBK
rnL9vsU9lvZoGyaHLpR/nikMOaRTa8bl1cdpULlEGH94HEzDuLT92AtAZ5HtdDEl
GcXRfTe3eGOaxcqNSF8NKSMQQ8rzbKmsgsa5Cbf0PYToemn3xyPAr+9Nz8tbSrlR
TrrFhzOR6+Ix0NcYJAKs6RUZ2kgbAheYF6nQmAHlJzyBihlfdfieJdysqNwSOQ8u
c7CyBLNFrGKqYTDVQI36MUwoyVtEqbOjt3cPitsMsD3fVAf05H7dHp/0iqrUghUs
60HYOjfmvZxH5wvhEPdv/wPLAZeosdQgW8np3Y5cztw7cxZXF+PxoMjRcnXVpQ2c
QIZg3RsiQmJtAT4Z2OuvYikqGzrpsVido0um/KMM9b82XilJExxPPzgEpXCK3CE8
7TchzrRA/W27eST4VXoNYrrMlmpavur1IxvMS54fBOu98efTIoER6uJc1t7qcL6r
mEVmBoMqecg+auuWqz50Bh8K329dlYuGLMbk/Ktc3agXtpkw88ylDmC6l5N7qrnL
kSb4i3DboU7R1cltiin3c/P+ahwfKQdNH18QbN3utJuzSSRVvXq4laUGFlRhWEEx
bLbbH2fh5bxDmDXDMdCF
=LLtP
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-annou...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscr...@freebsd.org" 

_______________________________________________
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" 
_______________________________________________
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Reply via email to