From nobody Mon Feb 10 20:55:09 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YsGzy0XjKz5mmG5;
	Mon, 10 Feb 2025 20:55:10 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YsGzx51GFz3xrW;
	Mon, 10 Feb 2025 20:55:09 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1739220909;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=7G94i741Os5wJC13JfMWKY1/J8WEjyWgT/DA6+HppMg=;
	b=SGUOzzdGSzJ4Iz09wgPU1XgXkqxKjQYbuc2L1sSNYFnrcl/s2eM8DJfMmp7+9IHmTfWwoe
	Mi95dZwil5yS/qOu/tAuNuZPUnb4SdDZ5FMZoY9g77w917UEMALWOEv7t2cidGiVh/9+ED
	wfHFZcyRnl0mYrLqiRF9/8YQKJZbBQmM80NMGXix051kBGbWathODrgYEYSLvVR0WY5D3p
	urfIy5JGkJGbXvhzw0P3UyQbFVxHf1hVC96lVxEpcazEybsDq7keL5qw/aknLNxpI4kEMH
	agFPZjrCZ2F/sf5m70Li9hoEKhbXBQQH/H85DZh42oMc7XIhGvXbt+23MMWlCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1739220909;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=7G94i741Os5wJC13JfMWKY1/J8WEjyWgT/DA6+HppMg=;
	b=oLDG+ACTi9Nv4VZMfpjLYeOPrKqf6Vl4ZAV/pnQ8/HCjMjLWVopp2QMIZ/ZdddZTYRu3vZ
	UhOg1Fpa7nqnTHMIlVq9m3p9/wDwcjSpfKZIbNGy1y6Og/XqtBzFten6e/7v2Yw0YDwveL
	Fu4pvhdo/68ZNfaCGBDBktlOsRrgdQeqYsusE3+1ZywcnLnLJkEhLTeojtVL4BQ+hOPlP6
	GwLQA31olokpeX6xcPczgy8SSbbSo+GZuVHumCiZ6xLd/6wC/5K+hi8R2yiLm89wtWX0/p
	Ae5gJffCT5SNhVv6JDcbSQeJmtyfH4u8FpT0v4rQjTsDPd4hDFgNDNf2I+2yDg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739220909; a=rsa-sha256; cv=none;
	b=A5bcZart/GjC7dFnk3/JXNIb2VDaGGSkYK3Sop5fINWjDXi2JTLx3kZWXsRJvU4xpCCMFx
	/iNsgYwobxCNO2jE2PGWaiseCoJFu5/bLOleYLUQk9XeKTKwOPUjI+KDT9+ryvIJ6IYPpk
	MSiYCTlX3IzXY8e406uqXxe1W4OtgwhjIWXzcKowFyw7Z28yd9Xs77W86gucLYRiEWV3+K
	jVyEWjJCxpIiaBBI9MPj5DkG5jodPtnfIRnPofPnilMNBdRFdKngF2uje6Jbzhag+NmVgt
	iDCZceXPq2LlJsYlEfULy0AHVzzn0U5lKt9svZttl4qx4yZFUXx0QidKHp0AhA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YsGzx1rnWzk1d;
	Mon, 10 Feb 2025 20:55:09 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51AKt91Z006566;
	Mon, 10 Feb 2025 20:55:09 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51AKt9mK006563;
	Mon, 10 Feb 2025 20:55:09 GMT
	(envelope-from git)
Date: Mon, 10 Feb 2025 20:55:09 GMT
Message-Id: <202502102055.51AKt9mK006563@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: 0b707d5fe8b6 - main - ssh: Disable support for DSA
  keys
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 0b707d5fe8b6b1920eb29c6375a6be92b7e44758
Auto-Submitted: auto-generated

The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=0b707d5fe8b6b1920eb29c6375a6be92b7e44758

commit 0b707d5fe8b6b1920eb29c6375a6be92b7e44758
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2025-02-09 20:41:12 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2025-02-10 20:54:25 +0000

    ssh: Disable support for DSA keys
    
    This is the upstream default -- from the 9.8p1 release notes:
    
    Future deprecation notice
    =========================
    
    OpenSSH plans to remove support for the DSA signature algorithm in
    early 2025. This release disables DSA by default at compile time.
    
    DSA, as specified in the SSHv2 protocol, is inherently weak - being
    limited to a 160 bit private key and use of the SHA1 digest. Its
    estimated security level is only 80 bits symmetric equivalent.
    
    OpenSSH has disabled DSA keys by default since 2015 but has retained
    run-time optional support for them. DSA was the only mandatory-to-
    implement algorithm in the SSHv2 RFCs, mostly because alternative
    algorithms were encumbered by patents when the SSHv2 protocol was
    specified.
    
    This has not been the case for decades at this point and better
    algorithms are well supported by all actively-maintained SSH
    implementations. We do not consider the costs of maintaining DSA
    in OpenSSH to be justified and hope that removing it from OpenSSH
    can accelerate its wider deprecation in supporting cryptography
    libraries.
    
    This release, and its deactivation of DSA by default at compile-time,
    marks the second step in our timeline to finally deprecate DSA. The
    final step of removing DSA support entirely is planned for the first
    OpenSSH release of 2025.
    
    ---
    
    The config.h comment /* DSA keys explicitly enabled */ is somewhat
    confusing, but this is what upstream's ./configure generates.
    
    Reviewed by:    jlduran
    Relnotes:       Yes
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D48910
---
 crypto/openssh/config.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/openssh/config.h b/crypto/openssh/config.h
index aedacd88df10..29f73831ad7b 100644
--- a/crypto/openssh/config.h
+++ b/crypto/openssh/config.h
@@ -1977,8 +1977,8 @@
 /* Define if you want to enable AIX4's authenticate function */
 /* #undef WITH_AIXAUTHENTICATE */
 
-/* Define if to enable DSA keys. */
-#define WITH_DSA 1
+/* DSA keys explicitly enabled */
+/* #undef WITH_DSA */
 
 /* Define if you have/want arrays (cluster-wide session management, not C
    arrays) */