openssh-9.9p1 packages ready in experimental
Jake Goerzen
jgoerzen at opencsw.org
Thu Dec 5 20:19:29 CET 2024
Hi Dago,
I have openssh-9.9p1 packages ready to try in experimental. I've
installed them on my systems and they are working as expected. These
have been built with --enable-dsa-keys so that ssh will have the options
needed to connect to ILOM's and stuff like that. I figured we would
want that enabled atleast for now. Here is from the openssh-9.9p1
release notes:
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025. This release disables DSA by default at compile time.
DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.
OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs, mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.
This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA
in OpenSSH to be justified and hope that removing it from OpenSSH
can accelerate its wider deprecation in supporting cryptography
libraries.
Currently DSA is disabled at compile time. The final step of
removing DSA support entirely is planned for the first OpenSSH
release of 2025.
DSA support may be re-enabled on OpenBSD by setting "DSAKEY=yes"
in Makefile.inc. To enable DSA support in portable OpenSSH, pass
the "--enable-dsa-keys" option to configure.
Best regards,
Jake
More information about the buildfarm
mailing list