The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "News:OpenSSH 7 Disables DSA Keys By Default"
(Created page with "{{News |Summary=Please be aware of this important change to avoid getting locked out of your Funtoo server. |News Format=Extended |News Category=Security |Author=Drobbins |Pub...") |
|||
Line 8: | Line 8: | ||
}} | }} | ||
Please be aware that OpenSSH 7 (now unmasked in funtoo-current) has disabled support for DSA keys by default, so that DSA keys cannot be used by an OpenSSH 7 client to log into a server, and DSA keys will not be accepted by an OpenSSH 7 server to allow logins from a client. This change was made by OpenSSH developers due to DSA keys being relatively weak compared to other options currently available. | Please be aware that OpenSSH 7 (now unmasked in funtoo-current) has disabled support for DSA keys by default, so that DSA keys cannot be used by an OpenSSH 7 client to log into a server, and DSA keys will not be accepted by an OpenSSH 7 server to allow logins from a client. This change was made by OpenSSH developers due to DSA keys being relatively weak compared to other options currently available. | ||
DSA keys are typically stored in {{f|id_dsa}} and {{f|id_dsa.pub}} files. You can also check your {{f|~/authorized_keys}} file to determine if you are using a DSA key. DSA public keys begin with the string {{c|ssh-dss}}. These keys will not be accepted by OpenSSH 7 with the default ssh/sshd config installed by the openssh ebuild. | |||
Please see the following Gentoo news announcement for more detail, including instructions on how to re-enable DSA key support on both client and server via configuration file changes: https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html | Please see the following Gentoo news announcement for more detail, including instructions on how to re-enable DSA key support on both client and server via configuration file changes: https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html |
Latest revision as of 19:48, October 7, 2015
OpenSSH 7 Disables DSA Keys By Default
Please be aware of this important change to avoid getting locked out of your Funtoo server.
By Drobbins / October 7, 2015Please be aware that OpenSSH 7 (now unmasked in funtoo-current) has disabled support for DSA keys by default, so that DSA keys cannot be used by an OpenSSH 7 client to log into a server, and DSA keys will not be accepted by an OpenSSH 7 server to allow logins from a client. This change was made by OpenSSH developers due to DSA keys being relatively weak compared to other options currently available.
DSA keys are typically stored in id_dsa
and id_dsa.pub
files. You can also check your ~/authorized_keys
file to determine if you are using a DSA key. DSA public keys begin with the string ssh-dss
. These keys will not be accepted by OpenSSH 7 with the default ssh/sshd config installed by the openssh ebuild.
Please see the following Gentoo news announcement for more detail, including instructions on how to re-enable DSA key support on both client and server via configuration file changes: https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
While it is not recommended to continue to use DSA keys, there are still some environments that will require DSA support to be re-enabled to ensure that users can connect via ssh after upgrading to OpenSSH 7. For these environments, it is recommended that you begin the process of migrating away from DSA keys for authentication.