Ubuntu
openssh package

Change SSH defaults to non-SHA-1 by 16.04

Bug #1445624 reported by Joey Stanford
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

For Security reasons, the Ubuntu Distro should change SSH defaults to use non-SHA-1 by 16.04. That is, to default to SHA2 and, ideally, not permit SHA1. This may break bzr+ssh on LP if done before https://bugs.launchpad.net/launchpad/+bug/1445619

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssh (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

While this might initially seem like prematurely early to end support for SHA-1, it's the tail end of 16.04 LTS's support window that worries me -- I suspect SHA-1 will feel less safe by 2021, but removing support for it in an LTS release feels like the wrong approach.

We may also wish to consider what the server accepts and what the client accepts separately if there's some class of devices that force using SHA-1 in the meantime.

Thanks

Revision history for this message
Colin Watson (cjwatson) wrote :

This is done in OpenSSH 7.0, but I plan to hold off on that for at least a while to see if we can get Twisted Conch beaten into shape to support SHA-2; the idea of spending months supporting people having to cope with configuration changes from the default Ubuntu installation in order to access Launchpad Bazaar/Git does not appeal ...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.