36

With the 8.2 release of OpenSSH, they have declared that ssh-rsa for SHA-1 will soon be removed from the defaults:

Future deprecation notice

It is now possible[1] to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the ssh-rsa public key signature algorithm that depends on SHA-1 by default in a near-future release.

This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.

If I have (and might use, but not sure where) an ssh-rsa key, what are the next steps for me? Pretend I don't have another key yet.

So far, I've been supposing this process:

  1. Generate new key(s).
  2. Change to new keys for known services.
  3. Rename the old key(s) so they are not automatically offered to remotes.
    • Then when I try a server that used to work, it will reject me and I'll swap it to the replacement key.
  4. Anything else?
Improve this question
4
  • Hm. Maybe it's wise to mention SHA-1 in the title of this question? Or is that too much of a clue to the answer? Commented Apr 3, 2020 at 17:25
  • @AdamKatz As far as I knew at the time, all ssh-rsa keys were SHA-1, since there are other RSA keys that explicitly mention their SHA algorithm. I suspect that people who are looking for this question will have the same misconception. Commented Apr 3, 2020 at 17:28
  • Yeah, that's what I was thinking. I was also sneaking in that note to sit right under the question so it's more visible to people who might panic when learning of this issue from your question. Commented Apr 3, 2020 at 17:33
  • 1
    Cross link at superuser Commented Jun 2, 2020 at 0:37

3 Answers 3

Reset to default
30

You don't need to do anything to your keys. From the same page that you quoted:

The better alternatives include:

  • The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them.

(Emphasis mine)

Improve this answer
3
  • Oh, interesting. I thought since man ssh_config listed (e.g.) rsa-sha2-512 separately from ssh-rsa that I'd need to upgrade the keys. Am I wrong? Commented Feb 19, 2020 at 18:23
  • 3
    Yes. Even though they're different algorithms, they use the same keys. Commented Feb 19, 2020 at 18:54
  • 1
    To check which signature algorithm is used for a key starting with ssh-rsa ..., put it into a file and run ssh-keygen -l -f on it. It will outut e.g. 2048 SHA256:... Commented May 24, 2024 at 12:48
8

Later OpenSSH release notes are even more explicit that Joseph's answer is correct. See this from v8.7:

Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default.

Improve this answer
1

What you can do as well is create yourself an ECDSA key, as suggested by OpenSSH 8.6:

The better alternatives include:

  • […]
  • The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7.
$ ssh-keygen -t ECDSA

Copy it over to authorized_keys on the target machine:

$ ssh-copy-id -i ~/.ssh/id_ecdsa.pub target_machine

And bam! You should be able to connect again.

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.