Am 20.06.2018 um 15:12 schrieb Andreas Schneider: > On Tuesday, 19 June 2018 16:35:49 CEST Jakub Jelen wrote: >> On Thu, 2018-06-14 at 16:03 +0200, Andreas Schneider wrote: >>> [...] >>> >>> Looks like openssh removed support for ssh-dss. At least my openssh >>> 7.7 >>> doesn't know about it at all. >> >> The OpenSSH 7.7p1 still has the support for ssh-dss keys, but they are >> disabled by default for any use, unless you enable them using >> PubkeyAcceptedKeyTypes and friend configuration options. The reason why >> it is still there is probably because the DSA keys are mandatory part >> (REQUIRED) of RFC4253 (Section 6.6). >> >>> I would remove it from libssh after the release of 0.8 together with >>> SSHv1 >>> support. >>> >>> I think we can remove it from pkd already? Comments? >> >> Removing the ancient SSHv1, blowfish and other unreasonable algorithms >> makes sense for me. > > SSHv1 will be removed, the algorithms will not be compiled in by default but > still available. > > This should not affect connecting to RHEL5 as it support and uses rsa keys by > default. > > > Andreas >
If we are already tidying up: I suggest to also deprecate the insecure diffie-hellman-group1-sha1 kex algorithm [1] which is currently compiled in by default. Instead, maybe we should add curve25519-sha256 as an alias to the [email protected] kex as Aris' proposal is in the IETF standardization process [2] and OpenSSH has already adopted it in September 2016. [1] https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-10.html [2] https://tools.ietf.org/id/draft-ietf-curdle-ssh-curves-07.html Regards Tilo
