Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Please add some future-proof hostkey algorithm(s)

See original GitHub issue

This might become a more and more imminent issue in the not too distant future. With recent openssh-8.2p1 release there’s now the following release note:

Future deprecation notice
=========================

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 hash algorithm for less than USD$50K. For this reason, we will
be disabling the "ssh-rsa" public key signature algorithm that depends
on SHA-1 by default in a near-future release.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The ssh-ed25519 signature algorithm. It has been supported in
   OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

A future release of OpenSSH will enable UpdateHostKeys by default
to allow the client to automatically migrate to better algorithms.
Users may consider enabling this option manually.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

So I tried to be proactive here and set this on all openssh servers I administer:

HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

But none of these algorithms are known by ConnectBot. Please make at least one future proof algorithm available in ConnectBot.

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:8 (1 by maintainers)

Top GitHub Comments

4reactions

BenBergmancommented, Mar 9, 2020

Adding support for the new U2F/FIDO keys would also be great (ideally both through NFC and USB).

1reaction

normanrcommented, Jun 18, 2022

Note: This has a pending work-around in #1105, it just needs to be merged.

Top Results From Across the Web

Release Notes - OpenSSH

Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are ... to prefer RSA/SHA2 for hostkey proofs of RSA keys, but...

Git permission denied (publickey) with newest git version

So the solution for now is to add PubkeyAcceptedKeyTypes=+ssh-dss to ... 2048 should probably be ok too, but is not very future proof...

host keys | Arabesque

I'm using 4096-bit RSA here, as it's widely supported even on very old systems, and should be relatively future-proof, although generating new keys...

Openssh question - #21 by system - Applications - EndeavourOS

Please get into your RPi server and check the IP address using $ ip addr ... This lists the supported HostKey algorithms by...

OpenSSH 7.4 released! - OpenBSD Journal

OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp ... for key exchange and hostkey algorithms already anyway.