Key point to avoid any confusion: This is about the RSA-SHA1 cipher combination. It does not mean that RSA is deprecated.
If you use an RSA key for SSH (server or client) you can continue using that.
This should not affect any modern-day SSH implementation, it will only cut off compatibility with SSH implementations not updated for a very long time.
To tag onto this, modern means OpenSSH 7.2 (released February 2016) or newer. Currently running an enterprise-wide SSH certificate service, and trying to push people along to update their old VMs in preparation for this deprecation.
I've been running with ssh-rsa disabled for a while (with a config based on https://infosec.mozilla.org/guidelines/openssh#modern-openss... ) and it's been pretty smooth. Support for better algorithms is widespread, with a few exceptions (like bazaar.launchpad.net).
One gotcha: OpenWrt does not enable ECDSA by default[1] and only recently enabled support for ed25519 by default.[2][3] It's available in release candidates for 21.02, but not in current stable releases. So if you're running a stable release you'll need to either add `PubkeyAcceptedKeyTypes +ssh-rsa` to your client ssh_config or use a custom build of OpenWrt with DROPBEAR_ECC or DROPBEAR_ECC_FULL enabled.
OpenSSH that ships with macOS doesn't support ECC keys loaded via PKCS#11, only RSA keys. This is the case even on Big Sur because though it ships OpenSSH 8.1p1 its linked against LibreSSL 2.7.3, which lacks support for delegating non-RSA signing operations. This is annoying if you're using an HSM or secure enclave via PKCS#11; for example the T2, which only supports ECDSA P-256.
There's nothing wrong with RSA keys. What's being disabled is the use of SHA-1 for signature hashing. SHA-2 works just fine and the same RSA keys continue working.
Agreed. I should have made my post clearer. OpenWrt does not suppport SHA-2 signature hashing or any of the newer key algorithms I mentioned, so you are stuck with RSA+SHA1.
5 comments
[ 5.7 ms ] story [ 28.0 ms ] threadIf you use an RSA key for SSH (server or client) you can continue using that.
This should not affect any modern-day SSH implementation, it will only cut off compatibility with SSH implementations not updated for a very long time.
One gotcha: OpenWrt does not enable ECDSA by default[1] and only recently enabled support for ed25519 by default.[2][3] It's available in release candidates for 21.02, but not in current stable releases. So if you're running a stable release you'll need to either add `PubkeyAcceptedKeyTypes +ssh-rsa` to your client ssh_config or use a custom build of OpenWrt with DROPBEAR_ECC or DROPBEAR_ECC_FULL enabled.
[1]: https://bugs.openwrt.org/index.php?do=details&task_id=786
[2]: https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=d0...
[3]: https://bugs.openwrt.org/index.php?do=details&task_id=3216&s...
[4]: https://bugs.openwrt.org/index.php?do=details&task_id=3452
There's nothing wrong with RSA keys. What's being disabled is the use of SHA-1 for signature hashing. SHA-2 works just fine and the same RSA keys continue working.