SSH keys: refuse to add new DSA keys and suggest or push users with DSA keys to remove them

Issue #13967 open
Delan Azabani created an issue

SSH keys that use DSA aren’t broken, but their days are numbered:

Some ideas which may or may not be feasible:

  • refuse to allow users to add SSH keys that use DSA
  • use notifications to ask users with DSA keys to remove them
  • disable DSA keys across the board at some point in the future

The third option should be done with caution if at all, or it could fuck the customer by breaking their automated processes, if they have any that rely on such keys.

Every cryptographic algorithm has a shelf life, and new flaws can bring an algorithm’s shelf life forward to $(date) in an instant. There might be some value in keeping some of this “key deprecation infrastructure” around — RSA, ECDSA, and Ed25519 will one day be in DSA’s shoes.

Comments (2)

  1. Log in to comment