News:OpenSSH 7 Disables DSA Keys By Default

From Funtoo
Jump to navigation Jump to search

OpenSSH 7 Disables DSA Keys By Default

Please be aware of this important change to avoid getting locked out of your Funtoo server.

By Drobbins / October 7, 2015

Please be aware that OpenSSH 7 (now unmasked in funtoo-current) has disabled support for DSA keys by default, so that DSA keys cannot be used by an OpenSSH 7 client to log into a server, and DSA keys will not be accepted by an OpenSSH 7 server to allow logins from a client. This change was made by OpenSSH developers due to DSA keys being relatively weak compared to other options currently available.

DSA keys are typically stored in id_dsa and id_dsa.pub files. You can also check your ~/authorized_keys file to determine if you are using a DSA key. DSA public keys begin with the string ssh-dss. These keys will not be accepted by OpenSSH 7 with the default ssh/sshd config installed by the openssh ebuild.

Please see the following Gentoo news announcement for more detail, including instructions on how to re-enable DSA key support on both client and server via configuration file changes: https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html

While it is not recommended to continue to use DSA keys, there are still some environments that will require DSA support to be re-enabled to ensure that users can connect via ssh after upgrading to OpenSSH 7. For these environments, it is recommended that you begin the process of migrating away from DSA keys for authentication.