On 1/22/2016 1:37 AM, Dag-Erling Smørgrav wrote: > Conrad Meyer <c...@freebsd.org> writes: >> Are we going to maintain DSA key support after upstream deprecates it >> entirely? And why? > > I am not aware of any plans to remove DSA support. It has simply been > disabled in the default run-time configuration - unlike, for instance, > libwrap, which was removed entirely, and SSHv1, which needs to be > enabled at compile time. I understand that decision (although I > disagree with their justification, or at least the way it was worded), > but we still have users who use DSA keys and who will be locked out of > their systems if we disable DSA without sufficient advance warning. I > will look into what steps can be taken to deprecate DSA without causing > our users too much inconvenience. > > DES >
I've used these in sshd_config and ssh_config to restore some removed functionality: Ciphers +blowfish-cbc,arcfour,aes128-cbc,3des-cbc KexAlgorithms +diffie-hellman-group1-sha1 PubkeyAcceptedKeyTypes +ssh-dss,ssh-dss-cert-...@openssh.com HostkeyAlgorithms +ssh-dss,ssh-dss-cert-...@openssh.com Maintaining these in the default config would be simpler and allow users to more easily remove them, but not give them a working upgrade. I'm not sure if these support '-' to disable them. On the otherhand we can just put these lines in the release notes and UPDATING so we are secure-by-default. -- Regards, Bryan Drewery
signature.asc
Description: OpenPGP digital signature
