18

With the 8.2 release of OpenSSH, they have declared that ssh-rsa for SHA-1 will soon be removed from the defaults:

Future deprecation notice

It is now possible[1] to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the ssh-rsa public key signature algorithm that depends on SHA-1 by default in a near-future release.

This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.

If I have (and might use, but not sure where) an ssh-rsa key, what are the next steps for me? Pretend I don't have another key yet.

  1. Generate new key(s?).
  2. Add new keys to known services.
  3. Rename old key so it does not get picked up automatically?
    • This is to nudge me when I try a server that used to work, so I add the new key.
  4. ???
Michael
  • 2,391
  • 2
  • 19
  • 36
  • Hm. Maybe it's wise to mention SHA-1 in the title of this question? Or is that too much of a clue to the answer? – Adam Katz Apr 03 '20 at 17:25
  • @AdamKatz As far as I knew at the time, _all_ `ssh-rsa` keys were SHA-1, since there are other RSA keys that explicitly mention their SHA algorithm. I suspect that people who are looking for this question will have the same misconception. – Michael Apr 03 '20 at 17:28
  • Yeah, that's what I was thinking. I was also sneaking in that note to sit right under the question so it's more visible to people who might panic when learning of this issue from your question. – Adam Katz Apr 03 '20 at 17:33
  • Cross link at [superuser](https://superuser.com/q/1556852/23156) – Michael Jun 02 '20 at 00:37

2 Answers2

16

You don't need to do anything to your keys. From the same page that you quoted:

The better alternatives include:

  • The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them.

(Emphasis mine)

Joseph Sible-Reinstate Monica
  • 7,110
  • 3
  • 21
  • 35
  • Oh, interesting. I thought since [`man ssh_config`](https://man.openbsd.org/ssh_config.5#HostKeyAlgorithms) listed (e.g.) `rsa-sha2-512` separately from `ssh-rsa` that I'd need to upgrade the keys. Am I wrong? – Michael Feb 19 '20 at 18:23
  • Yes. Even though they're different algorithms, they use the same keys. – Joseph Sible-Reinstate Monica Feb 19 '20 at 18:54
0

Later OpenSSH release notes are even more explicit that Joseph's answer is correct. See this from v8.7:

Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default.

Michael
  • 2,391
  • 2
  • 19
  • 36