Openssh has recently released version 9.7, which includes a client and server for SSH 2.0 and SFTP protocols. This release introduces changes that signal the future discontinuation of support for DSA algorithm-based keys. While Openssh 9.7 still allows for DSA support during compilation, there are plans to switch to default DSA disconnection in the next release scheduled for June. By the beginning of 2025, DSA implementation will be completely removed from the code base.
The use of DSA keys was actually stopped in 2015, but the code was still collected by default, allowing users to re-enable DSA through settings. DSA remains a mandatory implementation in the SSHV2 protocol due to historical reasons involving patents and approval processes. However, with advancements in other algorithms like ECDSA and EDDSA, DSA’s relevance has diminished. The decision to remove DSA support aims to encourage the industry to move away from this outdated and less secure algorithm.
In addition to the DSA-related changes, Openssh 9.7 introduces a new type of timeouts for SSH and SSHD, accessible through the “Channeltimeout” directive with the value of “Global”. This new feature allows Openssh to monitor all open channels and close them simultaneously if there is no activity within the specified timeframe. This streamlined approach improves efficiency, especially for scenarios involving multiple open channels like SSH sessions and X11 redirection. The release also includes improvements for compatibility testing with Putty.