33

With the 8.2 release of OpenSSH, they have declared that ssh-rsa for SHA-1 will soon be removed from the defaults:

Future deprecation notice

It is now possible[1] to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the ssh-rsa public key signature algorithm that depends on SHA-1 by default in a near-future release.

This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.

If I have (and might use, but not sure where) an ssh-rsa key, what are the next steps for me? Pretend I don't have another key yet.

So far, I've been supposing this process:

  1. Generate new key(s).
  2. Change to new keys for known services.
  3. Rename the old key(s) so they are not automatically offered to remotes.
    • Then when I try a server that used to work, it will reject me and I'll swap it to the replacement key.
  4. Anything else?
Improve this question
4
  • Hm. Maybe it's wise to mention SHA-1 in the title of this question? Or is that too much of a clue to the answer?
    – Adam Katz
    Commented Apr 3, 2020 at 17:25
  • @AdamKatz As far as I knew at the time, all ssh-rsa keys were SHA-1, since there are other RSA keys that explicitly mention their SHA algorithm. I suspect that people who are looking for this question will have the same misconception.
    – Michael come lately
    Commented Apr 3, 2020 at 17:28
  • Yeah, that's what I was thinking. I was also sneaking in that note to sit right under the question so it's more visible to people who might panic when learning of this issue from your question.
    – Adam Katz
    Commented Apr 3, 2020 at 17:33
  • 1
    Cross link at superuser
    – Michael come lately
    Commented Jun 2, 2020 at 0:37

3 Answers 3

Reset to default
27

You don't need to do anything to your keys. From the same page that you quoted:

The better alternatives include:

  • The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them.

(Emphasis mine)

Improve this answer
3
  • Oh, interesting. I thought since man ssh_config listed (e.g.) rsa-sha2-512 separately from ssh-rsa that I'd need to upgrade the keys. Am I wrong?
    – Michael come lately
    Commented Feb 19, 2020 at 18:23
  • 3
    Yes. Even though they're different algorithms, they use the same keys.
    – Joseph Sible-Reinstate Monica
    Commented Feb 19, 2020 at 18:54
  • To check which signature algorithm is used for a key starting with ssh-rsa ..., put it into a file and run ssh-keygen -l -f on it. It will outut e.g. 2048 SHA256:...
    – nh2
    Commented May 24 at 12:48
7

Later OpenSSH release notes are even more explicit that Joseph's answer is correct. See this from v8.7:

Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default.

Improve this answer
2

What you can do as well is create yourself an ECDSA key, as suggested by OpenSSH 8.6:

The better alternatives include:

  • […]
  • The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7.
$ ssh-keygen -t ECDSA

Copy it over to authorized_keys on the target machine:

$ ssh-copy-id -i ~/.ssh/id_ecdsa.pub target_machine

And bam! You should be able to connect again.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .