After years of forewarning, disable the RSA/SHA-1 signature algorithm

by default. It is feasible to create colliding SHA1 hashes, so we
need to deprecate its use.

RSA/SHA-256/512 remains available and will be transparently selected
instead of RSA/SHA1 for most SSH servers released in the last five+
years. There is no need to regenerate RSA keys.

The use of RSA/SHA1 can be re-enabled by adding "ssh-rsa" to the
PubkeyAcceptedAlgorithms directives on the client and server.

ok dtucker deraadt

diff --git a/usr.bin/ssh/myproposal.h b/usr.bin/ssh/myproposal.h
index f03b7df..6d79937 100644 (file)
--- a/usr.bin/ssh/myproposal.h
+++ b/usr.bin/ssh/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.68 2020/10/03 04:15:06 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.69 2021/08/29 23:53:10 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -46,7 +46,6 @@
        "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \
        "rsa-sha2-512-cert-v01@openssh.com," \
        "rsa-sha2-256-cert-v01@openssh.com," \
-       "ssh-rsa-cert-v01@openssh.com," \
        "ssh-ed25519," \
        "ecdsa-sha2-nistp256," \
        "ecdsa-sha2-nistp384," \
@@ -54,8 +53,7 @@
        "sk-ssh-ed25519@openssh.com," \
        "sk-ecdsa-sha2-nistp256@openssh.com," \
        "rsa-sha2-512," \
-       "rsa-sha2-256," \
-       "ssh-rsa"
+       "rsa-sha2-256"
 
 #define        KEX_SERVER_ENCRYPT \
        "chacha20-poly1305@openssh.com," \