SSH keys that use DSA aren’t broken, but their days are numbered:
- SSH is tightly coupled to 1024-bit DSA keys, thanks to RFC 4253 and FIPS 186-2
- there’s more than one way to increase that limit in the wild, and no standard in sight
- DSA has more points of failure than RSA, and seems to be closer to broken
- Debian has banned its developers from using them since 2008
- OpenSSH has disabled DSA in its client and server since 2015
Some ideas which may or may not be feasible:
- refuse to allow users to add SSH keys that use DSA
- use notifications to ask users with DSA keys to remove them
- disable DSA keys across the board at some point in the future
The third option should be done with caution if at all, or it could fuck the customer by breaking their automated processes, if they have any that rely on such keys.
Every cryptographic algorithm has a shelf life, and new flaws can bring an algorithm’s shelf life forward to $(date) in an instant. There might be some value in keeping some of this “key deprecation infrastructure” around — RSA, ECDSA, and Ed25519 will one day be in DSA’s shoes.