Re: Heads-up: DSA key support being removed from OpenSSH

From: Dr Jim Allen <mail.lists_at_phinetworksystems.co.uk>
Date: Thu, 10 Apr 2025 23:21:42 UTC 
Two things.                                                                     
                                                                                
a) Why remove the build config option?                                          
I know the code is being removed at some point, but until it is, why not        
leave it as a option (defaulted off)?                                           
                                                                                
b) The reasons for not using it are clear. I have gear like that too.           
Everyone does. But any of us that do need to speak to that old gear will        
just have to install an old version of OpenSSH in order to do so.               
It's no different than having to find (keep) an old piece of hardware           
that has a real RS232 port on it (because the gear has a weird protocol         
that a USB->Serial converter won't speak).                                      
                                                                                
I have gear that is new and gear that is 20 years old. The hassle of            
supporting old gear is one of the drives to renew it. It's life.=20             
I don't agree with deprecating something just cause someone doesn't like        
it but this is different and if we don't want or need to replace that           
old gear then it's really up to us to find a fix. We can't expect the           
devs to keep it in for the next 20 years. We want OpenSSH secure. If we         
want/need to use an unsecure key method then we should be fine using and        
older less secure version.                                                      
                                                                                
Jim :-)


On Thu, Apr 10, 2025 at 10:24:49PM +0000, Bjoern A. Zeeb [Re: Heads-up: DSA key support being removed from OpenSSH] wrote:
> On Thu, 10 Apr 2025, Ed Maste wrote:
> 
> > On Wed, 19 Mar 2025 at 17:21, Jan Bramkamp <crest@rlwinm.de> wrote:
> > > 
> > > As long as it's "only" a compile-time option away for FreeBSD to enable
> > > this flawed cipher I would like to have it compiled in by default so it
> > > doesn't require installing SSH from ports to connect to some stupid old
> > > router/switch/UPS/whatever over SSH. As long as it won't negotiate that
> > > cipher with the default configuration that's safe enough for my needs.
> > > 
> > It's a compile-time option in 9.9 and earlier. As of 10.0 the
> > configure infrastructure has been removed but the source hasn't yet
> > been deleted. I expect that will happen soon though.
> > 
> > We'll keep DSA available, at least in stable branches, as long as it's
> > reasonably convenient and safe to do so, but won't patch it back in
> > once the source is removed.
> 
> Do we have alternative ssh clients in ports which will keep supporting
> DSA?
> 
> Lots of old switches out there belong in similar categories and the
> 	=+ssh-rsa,ssh-dss
> 
> I think providing a list of alternative clients somewhere for our
> users who still need it would be very good.  A wiki page or something
> so it can be easily maintained?  Not endorsing anything just listing it.
> 

-- 
 
Dr James Allen
Phi Network Systems
 
MBL : +44 (0) 7919 332 662
DLN : +44 (0) 28 9343 8236

TEL : +44 (0) 28 93 155 600
FAX : +44 (0) 28 93 155 601

SALES : +44 (0) 845 55 77 600

EMail : Jim.Allen@PhiNetworkSystems.co.uk

GPG-key :
https://files.phinetworksystems.net/Downloads/GPG-Keys/Jim.Allen-Phi.gpg.asc
https://files.phinetworksystems.net/Downloads/GPG-Keys/Jim.Allen-Phi_allkeys.gpg.asc

S/MIME certificate :
https://files.phinetworksystems.net/Downloads/jim.allen-at-phinetworksystems.co.uk.pem
SKI F3:C3:77:E8:B7:B0:40:48:BD:57:4B:95:99:71:A4:4C:1A:90:9C:67