Messages of the Day

Subject: SSH DSA authorized keys
Date: Mon, Dec 02 2019 -- 11:48 AM
Posted by: Brian Marcotte

The following message was sent to the shell users affected back in
September.

If you didn't get said message, or want to be sure you're not affected,
please try logging into panix5.

--------------------------

We will soon be upgrading our shell hosts to NetBSD 8. As part of that
upgrade we will be upgrading our OpenSSH server to v7.6. And as part of
that upgrade, all support for "DSA" ssh keys is being removed. That's
because DSA is considered weak, and has been for a while.

For the curious, see

https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys

which explains just how "weak" DSA is (or isn't). But beyond that, both
DSA and ECDSA are cryptographically suspect, so this seems a good time
to ban DSA.

Panix's host DSA keys were replaced a long time ago, but if you're still
using one to authenticate to Panix, you'll need to replace it now (or at
least supplement it) with an ed25519 key - or, if your ssh is too old
for ed25519, a >2048-bit RSA key. This upgrade will be done within a few
weeks. After the upgrade, you'll need to log in with a password if you
haven't replaced your key.

Please see the following page if you need help generating new keys.

https://www.panix.com/help/sshpk.html

As always, you can contact us at staff@panix.com if you need help -
though please make sure you've read the help page mentioned above first.