Community discussions

MUM Europe 2020
 
User avatar
eworm
Member
Member
Topic Author
Posts: 473
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

OpenSSH future RSA host key deprecation

Fri Feb 14, 2020 2:18 pm

Hello everybody,

version 8.2 of well known OpenSSH has been release:
[openssh-unix-announce] Announce: OpenSSH 8.2 released

The announcement comes with a deprecation notice for RSA host keys as used with RouterOS:
Future deprecation notice
=========================

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.

The better alternatives include:

* The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
algorithms have the advantage of using the same key type as
"ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
supported since OpenSSH 7.2 and are already used by default if the
client and server support them.

* The ssh-ed25519 signature algorithm. It has been supported in
OpenSSH since release 6.5.

* The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

ssh -oHostKeyAlgorithms=-ssh-rsa user at host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

A future release of OpenSSH will enable UpdateHostKeys by default
to allow the client to automatically migrate to better algorithms.
Users may consider enabling this option manually.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
So future versions of OpenSSH client will not support connecting to current RouterOS.
user@linux $ ssh -oHostKeyAlgorithms=-ssh-rsa admin@mikrotik
Unable to negotiate with 192.168.88.1 port 22: no matching host key type found. Their offer: ssh-rsa
Please implement other (host) key algorithms for SSH in RouterOS as soon as possible. Thanks!
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
eworm
Member
Member
Topic Author
Posts: 473
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: OpenSSH future RSA host key deprecation

Mon Feb 17, 2020 9:22 pm

Just had a closer look. Would be nice to have ssh-ed25519, but it's not a requirement. Support for rsa-sha2-512 and/or rsa-sha2-256 (defined in RFC8332) would be sufficient. Just ssh-rsa (which uses SHA1) is deprecated here. Sadly RouterOS supports the latter one only.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
eworm
Member
Member
Topic Author
Posts: 473
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: OpenSSH future RSA host key deprecation

Tue Feb 18, 2020 10:58 am

Version 6.47beta35 adds support for rsa-sha2-256. Public key authentication does not work, though.
Thanks anyway!
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts

Who is online

Users browsing this forum: jebz, MSN [Bot], okw and 99 guests