On Wed, Aug 12, 2015 at 11:17 PM, Mike Frysinger <vap...@gentoo.org> wrote: > --- > .../2015-08-13-openssh-weak-keys.en.txt | 26 > ++++++++++++++++++++++ > 1 file changed, 26 insertions(+) > create mode 100644 > 2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt > > diff --git > a/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt > b/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt > new file mode 100644 > index 0000000..8dece5e > --- /dev/null > +++ b/2015/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt > @@ -0,0 +1,26 @@ > +Title: OpenSSH 7.0 disables ssh-dss keys by default > +Author: Mike Frysinger <vap...@gentoo.org> > +Content-Type: text/plain > +Posted: 2015-08-13 > +Revision: 1 > +News-Item-Format: 1.0 > +Display-If-Installed: net-misc/openssh > + > +Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has > +been disabled by default at runtime. If you rely on these key types, > +you will have to take corrective action or risk being locked out. > + > +Your best option is to generate new keys using newer types such as rsa > +or ecdsa or ed25519. RSA keys will give you the greatest portability > +with other clients/servers while ed25519 will get you the best security > +with OpenSSH (but requires recent versions of client & server). > + > +If you are stuck with DSA keys, you can re-enable support locally by > +updating your sshd_config file with a line like so: > + PubkeyAcceptedKeyTypes=+ssh-dss > + > +Be aware though that eventually OpenSSH will drop support for DSA keys > +entirely, so this is only a stop gap solution. > + > +More details can be found on OpenSSH's website: > + http://www.openssh.com/legacy.html > -- > 2.4.4 > >
Looks good to me, thanks for writing it.