artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f349952) | patch
After years of forewarning, disable the RSA/SHA-1 signature algorithm
authordjm <djm@openbsd.org>
Sun, 29 Aug 2021 23:53:10 +0000 (23:53 +0000)
committerdjm <djm@openbsd.org>
Sun, 29 Aug 2021 23:53:10 +0000 (23:53 +0000)
commite838ba44150ecbd4b1f78582b470915d172fa05c
treeb0a9d6db75ecc15816e6e1081db662cfc66a252ftree | snapshot
parentf349952445262d441706031c6233ae63a0919ce1commit | diff
After years of forewarning, disable the RSA/SHA-1 signature algorithm
by default. It is feasible to create colliding SHA1 hashes, so we
need to deprecate its use.

RSA/SHA-256/512 remains available and will be transparently selected
instead of RSA/SHA1 for most SSH servers released in the last five+
years. There is no need to regenerate RSA keys.

The use of RSA/SHA1 can be re-enabled by adding "ssh-rsa" to the
PubkeyAcceptedAlgorithms directives on the client and server.

ok dtucker deraadt
usr.bin/ssh/myproposal.h diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim