Re: Heads-up: DSA key support being removed from OpenSSH

On Tue, 15 Apr 2025, Ed Maste wrote:

Hi,

just replying to the last email in the thread.

> On Thu, 10 Apr 2025 at 19:21, Dr Jim Allen
> <mail.lists@phinetworksystems.co.uk> wrote:
>>
>>
>> Two things.
>>
>> a) Why remove the build config option?
>> I know the code is being removed at some point, but until it is, why not
>> leave it as a option (defaulted off)?
>
> There's no user-facing interface to run upstream's configure script as
> part of the FreeBSD build system, so enabling DSA in the FreeBSD base
> system already required having a patched tree. Committing this removal
> now has no user-facing impact, but means that we can separately decide
> what to merge to stable branches: in particular, it is possible for us
> to merge 10.0p2 to stable branches with DSA support still present.

You have to love OpenBSD folks.  They don't even make it graceful:

(made a sample config after hitting it for demonstration purposes)

~/.ssh/config line 6: Bad key types '+ssh-rsa,ssh-dss'.
~/.ssh/config: terminating, 1 bad configuration options

You need to edit all your config down and remove the now invalid key
type or you cannot ssh out to anything anymore. Could have ignored that
Host entry and be done...  Ed, I think it warrents an UPDATING entry...

That also means dedicated config files for main vs. stable machines for
the grace period we have to still be able to use an older version...
or concatenate two files depending on freebsd-version -u or other magic
as ssh -F they only accept the last given opntion as well and not
multiple.  *sigh*

I assume alias ssh-dss ssh -F ~/.ssh/config.dss or similar will do the
jobs for now.

/bz

-- 
Bjoern A. Zeeb                                                     r15:7