Important note for future FreeBSD base system OpenSSH update

Ed Maste emaste at freebsd.org
Thu Sep 9 18:02:33 UTC 2021 

We now have OpenSSH 8.7p1 in the base system and I will MFC it to
stable branches soon. (FIDO/U2F support is one of the most anticipated
new features available in this OpenSSH version, but it is not yet
enabled in the base system - additional work is ongoing.)

There is an important caveat to be aware of for the next base system
update though - I've reproduced it below (from OpenSSH's release
notes, https://www.openssh.com/releasenotes.html).

The notice includes a command to run to determine if a server will be
affected by this issue - I would appreciate it if folks can try it
with servers they use and report back, to help determine if this will
be an issue in practice and to help guide the next base system update.

Imminent deprecation notice
===========================

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
hash algorithm in conjunction with the RSA public key algorithm. It is
now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K.

Note that the deactivation of "ssh-rsa" signatures does not
necessarily require cessation of use for RSA keys. In the SSH
protocol, keys may be capable of signing using multiple algorithms. In
particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256"
(RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1).
Only the last of these is being turned off by default.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs that is still
enabled by default.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The RFC8709 ssh-ed25519 signature algorithm. It has been supported
   in OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user at host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

OpenSSH recently enabled the UpdateHostKeys option by default to
assist the client by automatically migrating to better algorithms.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020)
https://eprint.iacr.org/2020/014.pdf

More information about the freebsd-security mailing list