After five months of development release OpenSSH 8.5 , an open source client and server implementation for SSH 2.0 and SFTP.
The OpenSSH developers recalled the upcoming transfer to the category of outdated algorithms using SHA-1 hashes, due to the increased efficiency of collision attacks with a given prefix (the cost of collision guessing is estimated at about 50 thousand dollars). In one of the upcoming releases, it is planned to disable by default the ability to use the “ssh-rsa” public key digital signature algorithm, which is mentioned in the original RFC for the SSH protocol and remains widespread in practice.
To test the use of ssh-rsa on your systems, you can try connecting via ssh with the “-oHostKeyAlgorithms = -ssh-rsa” option. At the same time, disabling the “ssh-rsa” digital signatures by default does not mean a complete rejection of the use of RSA keys, since in addition to SHA-1, the SSH protocol allows the use of other algorithms for calculating hashes. In particular, in addition to “ssh-rsa”, it will remain possible to use the bindings “rsa-sha2-256” (RSA / SHA256) and “rsa-sha2-512” (RSA / SHA512).
To smooth the transition to new algorithms in OpenSSH 8.5, the UpdateHostKeys setting is enabled by default, which allows you to automatically switch clients to more reliable algorithms. This setting enables a special protocol extension “[email protected]”, which allows the server, after passing the authentication, to inform the client about all available host keys. The client can reflect these keys in their ~ / .ssh / known_hosts file, which allows host key updates to be organized and makes it easier to change keys on the server.
Use of UpdateHostKeys is limited by a few caveats, which may be canceled in the future: the key must be mentioned in UserKnownHostsFile and not used in GlobalKnownHostsFile; the key must be present under only one name; the host key certificate must not be used; known_hosts should not use hostname masks; the VerifyHostKeyDNS setting must be disabled; the UserKnownHostsFile parameter must be active.
Recommended algorithms for migration include rsa-sha2-256 / 512 based on RFC8332 RSA SHA-2 (supported since OpenSSH 7.2 and used by default), ssh-ed25519 (supported since OpenSSH 6.5) and ecdsa-sha2-nistp256 / 384/521 based on RFC5656 ECDSA (supported since OpenSSH 5.7).
Other changes: