Re: Heads-up: DSA key support being removed from OpenSSH

On 10.02.25 17:57, Ed Maste wrote:
> Upstream OpenSSH has been working on deprecating DSA keys for some
> time, and I intend to follow suit in FreeBSD.
>
>  From the OpenSSH 9.8p1 release notes:
>
> ===
> OpenSSH has disabled DSA keys by default since 2015 but has retained
> run-time optional support for them. DSA was the only mandatory-to-
> implement algorithm in the SSHv2 RFCs, mostly because alternative
> algorithms were encumbered by patents when the SSHv2 protocol was
> specified.
>
> This has not been the case for decades at this point and better
> algorithms are well supported by all actively-maintained SSH
> implementations. We do not consider the costs of maintaining DSA
> in OpenSSH to be justified and hope that removing it from OpenSSH
> can accelerate its wider deprecation in supporting cryptography
> libraries.
>
> This release, and its deactivation of DSA by default at compile-time,
> marks the second step in our timeline to finally deprecate DSA. The
> final step of removing DSA support entirely is planned for the first
> OpenSSH release of 2025.
> ===
>
> As part of the update to OpenSSH 9.8p1 I intend to disable DSA key
> support at compile time. I intend to make this change in main only,
> leaving DSA key support enabled in stable/14 and stable/13.
>
> The change is a trivial update in config.h -- https://reviews.freebsd.org/D48910

As long as it's "only" a compile-time option away for FreeBSD to enable 
this flawed cipher I would like to have it compiled in by default so it 
doesn't require installing SSH from ports to connect to some stupid old 
router/switch/UPS/whatever over SSH. As long as it won't negotiate that 
cipher with the default configuration that's safe enough for my needs.

TL;DR: Please keep it enabled it at compile-time, but configured 
disabled. FreeBSD shouldn't require recompiling the base system to 
connect to older embedded devices.