Demystifying “ssh-rsa” in OpenSSH Deprecation Notice

Demystifying “ssh-rsa” in OpenSSH Deprecation Notice

OpenSSH is an implementation of the SSH 2 protocol by developers of the OpenBSD project. It is ubiquitous, and is the most widely deployed SSH software on servers. In the original SSH 2 protocol (RFC 4253), SHA1 was the recommended hashing algorithm.

OpenSSH is an implementation of the SSH 2 protocol by developers of the OpenBSD project. It is ubiquitous, and is the most widely deployed SSH software on servers. In the original SSH 2 protocol (RFC 4253), SHA1 was the recommended hashing algorithm. Since then, over the years through various updates, SHA2 is now recommended for Data Integrity Algorithms (RFC 6668), Key Exchange Algorithms (RFC 8268) and Public Key Algorithms (RFC 8332). While OpenSSH has added support for newer algorithms based on SHA2, it has to deprecate the older SHA1 based algorithms at some point. OpenSSH will be deprecating the public key algorithm “ssh-rsa” in a near-future release. The following notice has appeared in release notes since version 8.2,

It is now possible[1] to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the “ssh-rsa” public key signature algorithm that depends on SHA-1 by default in a near-future release.

_[1] “SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust” Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf

SHA1 (Secure Hash Algorithm 1) was a widely used cryptographically secure hashing algorithm until it was broken for all practical purposes in 2017. Since then, there are ongoing efforts in the industry to move towards a secure algorithm such as SHA2. There is no single strategy here that can be adopted by all. To give a few examples, CA/Browser forum had been working on SHA1 deprecation in TLS certificates for years, the fact that TLS certificates had multi-year validity only complicating things. They have since reduced the lifetime of certificates to help manage future deprecations. Version control systems such as Git and Mercurial have their own short-term and long-term plans but the transition is far from complete.

Unless, you are using an implementation of SSH 2 protocol other than OpenSSH, you will likely not be affected and can safely ignore this deprecation notice.

open-source linux devops ssh cybersecurity

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

An Open-Source Book About the Open Source World

Open source today is a word that often include a lot of things, such as open knowledge (Wikimedia projects), open hardware (Arduino, Raspberry Pi), open formats (ODT/ODS/ODP) and so on.

Mitigating the Risks of Open Source Software in DevOps

Speed matters when developing and deploying new software, so developers rely on open source components. But what are the risks? And how do we mitigate risks?

List of Best Open Source DevOps Tools

Overview of Best open source DevOps Tools for Continuous Integration, Continuous Deployment, Continuous Delivery pipeline

Did Google Open Sourcing Kubernetes Backfired?

With Google not owning the trademarks or control for Kubernetes, it also provided a competitive edge to AWS, Microsoft, IBM etc.

How to Extend your DevOps Strategy For Success in the Cloud?

DevOps and Cloud computing are joined at the hip, now that fact is well appreciated by the organizations that engaged in SaaS cloud and developed applications in the Cloud. During the COVID crisis period, most of the organizations have started using cloud computing services and implementing a cloud-first strategy to establish their remote operations. Similarly, the extended DevOps strategy will make the development process more agile with automated test cases.