Change SSH defaults to non-SHA-1 by 16.04

Bug #1445624 reported by Joey Stanford on 2015-04-17
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Undecided
Unassigned

Bug Description

For Security reasons, the Ubuntu Distro should change SSH defaults to use non-SHA-1 by 16.04. That is, to default to SHA2 and, ideally, not permit SHA1. This may break bzr+ssh on LP if done before https://bugs.launchpad.net/launchpad/+bug/1445619

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssh (Ubuntu):
status: New → Confirmed
Seth Arnold (seth-arnold) wrote :

While this might initially seem like prematurely early to end support for SHA-1, it's the tail end of 16.04 LTS's support window that worries me -- I suspect SHA-1 will feel less safe by 2021, but removing support for it in an LTS release feels like the wrong approach.

We may also wish to consider what the server accepts and what the client accepts separately if there's some class of devices that force using SHA-1 in the meantime.

Thanks

Colin Watson (cjwatson) wrote :

This is done in OpenSSH 7.0, but I plan to hold off on that for at least a while to see if we can get Twisted Conch beaten into shape to support SHA-2; the idea of spending months supporting people having to cope with configuration changes from the default Ubuntu installation in order to access Launchpad Bazaar/Git does not appeal ...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers