Connecting to legacy servers with OpenSSH#
Phasing out legacy cryptographic algorithms can always be an interesting endeavor as terminating too early breaks stuff and too late can lead to a compromise. OpenSSH disabled Digital Signature Algorithm (DSA) with version 7.0 in March 2015 as 5 years earlier it was discovered that DSA was compromised and labeled as insecure. Normally this shouldn’t be a problem with a normal software life cycle, but sometimes you will encounter a legacy box that will not be upgraded as it will break things. Now it will stop new connections from being set up from being upgraded to machines as with SSH.
Their offer: ssh-dss
For an incidental connection from the command line, the algorithm can be enabled again to connect with a legacy machine.
$ ssh -o HostKeyAlgorithms=+ssh-dss [email protected]
For automated processed or when scripts can’t be modified a setting for OpenSSH can also be set in
$HOME/.ssh/config for the account depending on this option to be set.
Host server.example.org HostKeyAlgorithms=+ssh-dss
Re-enabling broken algorithms like DSA should only be done for a limited time and scope. In a lot of commercial environments, these algorithms aren’t allowed to be enabled again. Also in most cases, the code to run these obsolete algorithms can be removed in a later version as already is the case with SSL 3.0 and earlier for example.