From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH] openssh: Update to 8.4p1 Date: Tue, 29 Sep 2020 15:45:08 +0200 Message-ID: <36c39f24-d742-237b-57cd-682c05e6bd43@gmail.com> In-Reply-To: <677D18A3-D750-4801-93CA-BE4E8D3E3D79@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1731438560089440216==" List-Id: --===============1731438560089440216== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, I don't believe it will be a problem from what I have read up about on this t= opic. The move to disabling the ssh-rsa signature by default is still for a future = (undefined) release. When it happens this will not change the rsa key itself. That stays the same.= It is the hash used for the signature format that's used during each authent= ication handshake that will have to be different. There are three signature h= ashes used for rsa keys, ssh-rsa which is SHA1 based and rsa-sha2-256 and rsa= -sha2-512 which are both SHA2 based. Since openssh-7.2 the sha2 signatures have been available and in default setu= ps the options are tried in descending order in the key exchange communicatio= n, so rsa-sha2-512 first then rsa-sha2-256 and then ssh-rsa. The first one av= ailable in both server and client will be used. Apparently some people must b= e explicitly defining only ssh-rsa in their ssh_config file with HostKeyAlgor= ithms. If the HostKeyAlgorithms is not specified in ssh_config then the default incl= udes the sha2 options. The only problem I can see when this default is implemented in the future is = for people who have ssh clients where ssh-rsa has been explicitly specified w= ithout the sha2 variants in ssh_config. Then the negotiation between their cl= ient and the ipfire ssh server would fail. Updating their HostKeyAlgorithms l= ine to include rsa-sha2-512 and rsa-sha2-256 would fix the problem and make t= heir signature format much more secure. Having said all the above, I think it would be good for someone else to also = check this out to make sure that my interpretation and understanding is corre= ct. Regards, Adolf. On 29/09/2020 10:29, Michael Tremer wrote: > Good morning Adolf, > > Thank you for working on this. > > Did you have a look at the changes regarding retiring support for RSA-SHA1?= Does that affect us in any way? > > Best, > -Michael > >> On 29 Sep 2020, at 08:21, Adolf Belka wrote: >> >> - Update openssh from version 8.3p1 to 8.4p1 >> See https://www.openssh.com/releasenotes.html >> See https://www.openssh.com/portable.html#http for mirrors for source file >> - No change to rootfiles >> - Installed on virtual ipfire testbed and ssh connection successfully oper= ated >> Signed-off-by: Adolf Belka >> --- >> lfs/openssh | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/lfs/openssh b/lfs/openssh >> index 75210060e..5143f4154 100644 >> --- a/lfs/openssh >> +++ b/lfs/openssh >> @@ -24,7 +24,7 @@ >> >> include Config >> >> -VER =3D 8.3p1 >> +VER =3D 8.4p1 >> >> THISAPP =3D openssh-$(VER) >> DL_FILE =3D $(THISAPP).tar.gz >> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) >> >> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >> >> -$(DL_FILE)_MD5 =3D 68d7527bf2672153ca47402f6489a1af >> +$(DL_FILE)_MD5 =3D 8f897870404c088e4aa7d1c1c58b526b >> >> install : $(TARGET) >> >> --=20 >> 2.28.0 >> --===============1731438560089440216==--