Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
.../2021-10-08-openssh-rsa-sha1.en.txt | 26 +++++++++++++++++++
1 file changed, 26 insertions(+)
create mode 100644 2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt

diff --git a/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
new file mode 100644
index 0000000..cfdcc4a
--- /dev/null
+++ b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
@@ -0,0 +1,26 @@
+Title: OpenSSH RSA SHA-1 signatures
+Author: Mike Gilbert <floppym@gentoo.org>
+Posted: 2021-10-08
+Revision: 1
+News-Item-Format: 2.0
+Display-If-Installed: net-misc/openssh
+
+As of version 8.8, OpenSSH disables RSA signatures using the SHA-1
+hash algorithm by default. This change affects both the client and
+server components.
+
+After upgrading to this version, you may have trouble connecting to
+older SSH servers that do not support the newer RSA/SHA-256/SHA-512 +signatures. Support for these signatures was a

I think it may be helpful to include the specific file(s) those
options
need to be added and to clarify whether they need to be added to
the
server host or the clients.

Perhaps like so:

hashes may be re-enabled on the server by adding the following
config
options to the end of /etc/ssh/sshd_confg:



WKR,
Aaron

Mike Gilbert <floppym@gentoo.org> writes:

Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
.../2021-10-08-openssh-rsa-sha1.en.txt | 26
+++++++++++++++++++
1 file changed, 26 insertions(+)
create mode 100644
2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt

diff --git
a/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
new file mode 100644
index 0000000..cfdcc4a
--- /dev/null
+++
b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
@@ -0,0 +1,26 @@
+Title: OpenSSH RSA SHA-1 signatures
+Author: Mike Gilbert <floppym@gentoo.org>
+Posted: 2021-10-08
+Revision: 1
+News-Item-Format: 2.0
+Display-If-Installed: net-misc/openssh
+
+As of version 8.8, OpenSSH disables RSA signatures using the
SHA-1
+hash algorithm by default. This change affects both the client
and
+server components.
+
+After upgrading to this version, you may have trouble
connecting to
+older SSH servers that do not support the newer
RSA/SHA-256/SHA-512
+signatures. Support for these signatures was added in OpenSSH
7.2.
+
+As well, you may have trouble using older SSH clients to
connect to a
+server running OpenSSH 8.8 or higher. Some older clients do not +automatically utilize the newer hashes. For example, PuTTY
before
+version 0.75 is affected.
+
+To resolve these problems, please upgrade your SSH
client/server
+whereever possible. If this is not feasible, support for the
SHA-1
+hashes may be re-enabled using the following config options:
+
+HostkeyAlgorithms +ssh-rsa
+PubkeyAcceptedAlgorithms +ssh-rsa

--
Reservations and Reporting Technologist
Great Smoky Mountains Railroad
PO Box 1490
Bryson City, NC 28713
D: 828-488-7013
M: 800-872-4681 x 214
F: 828-488-0427
P: 9B32 F2A4 8C1F F4E0 1E23 CEEA 2153 C852 F779 174F

-----BEGIN PGP SIGNATURE-----

iOwEARYKAJQWIQQEC6Ot+QKFRWIXfOT/l1wNKJSl0QUCYVy1hl8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MDQw QkEzQURGOTAyODU0NTYyMTc3Q0U0RkY5NzVDMEQyODk0QTVEMRYcdGl0YW5vZm9s ZEBnZW50b28ub3JnAAoJEP+XXA0olKXRkiAA/3HegFek9SFASCjVGJOGXgvDhq7K r4Wc15hqrbYJ9gvBAP43iGa5IvQC+poah2PVrvzvTbbPsaucrCiEZzgpPg42Cw==
=t+n9
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Oct 5, 2021 at 4:22 PM Aaron W. Swenson <titanofold@gentoo.org> wrote:

I think it may be helpful to include the specific file(s) those
options
need to be added and to clarify whether they need to be added to
the
server host or the clients.

Perhaps like so:

hashes may be re-enabled on the server by adding the following
config
options to the end of /etc/ssh/sshd_confg:

I considered something similar, but decided that I don't really want
to do that level of hand-holding.

Re-enabling ssh-rsa should be a seldom-used workaround. I feel like
people can read the manual if they really need to enable them. The
point of the news item is really to alert folks so they don't spend
hours scratching their heads over it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 5 Oct 2021, at 18:43, Mike Gilbert <floppym@gentoo.org> wrote:

Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
.../2021-10-08-openssh-rsa-sha1.en.txt | 26 +++++++++++++++++++
1 file changed, 26 insertions(+)
create mode 100644 2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt

diff --git a/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
new file mode 100644
index 0000000..cfdcc4a
--- /dev/null
+++ b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
@@ -0,0 +1,26 @@
+Title: OpenSSH RSA SHA-1 signatures
+Author: Mike Gilbert <floppym@gentoo.org>
+Posted: 2021-10-08
+Revision: 1
+News-Item-Format: 2.0
+Display-If-Installed: net-misc/openssh
+
+As of version 8.8, OpenSSH disables RSA signatures using the SHA-1
+hash algorithm by default. This change affects both the client and
+server components.

lgtm

-----BEGIN PGP SIGNATURE-----

iQGTBAEBCgB9FiEEYOpPv/uDUzOcqtTy9JIoEO6gSDsFAmFcxjVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYw RUE0RkJGRkI4MzUzMzM5Q0FBRDRGMkY0OTIyODEwRUVBMDQ4M0IACgkQ9JIoEO6g SDupZAf/WAiebN/4qbDZt+2fJkj3JgV0VaF72vaDYOu17M/iXCgdg/lxVx78JWm5 fsbJj5czY4tEJ61YRZ9A3GvVXKMTdeQhfrWcUbCcVIDyjoMo8qgXsYMhZEaUBnRL 3eoFxcuPZRPSmMIRdp1pZ8fdYFwnrwbN1O2h1sNRN+pbFM/Ra3OgOitPeVPK7H+G 0LgW2r0mzAWLBwLk83sHIWA6szS2LGxmmUzdBCLRKbF8vSff02ouM2rQYsCwW5/O vDNyJG49kk7+W9vkm4hVPKc9+yUm39ZYTBTpGLvP9MjSwNn1px6Nqv/gOH82seku yuJLJnnL+OxE2hk9g57rikLV4LE96A==
=MTXf
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 2021-10-05 at 13:43 -0400, Mike Gilbert wrote:

Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
 .../2021-10-08-openssh-rsa-sha1.en.txt        | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 2021-10-08-openssh-rsa-sha1/2021-10-08-openssh- rsa-sha1.en.txt

diff --git a/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-
sha1.en.txt b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-
sha1.en.txt
new file mode 100644
index 0000000..cfdcc4a
--- /dev/null
+++ b/2021-10-08-openssh-rsa-sha1/2021-10-08-openssh-rsa-sha1.en.txt
@@ -0,0 +1,26 @@
+Title: OpenSSH RSA SHA-1 signatures
+Author: Mike Gilbert <floppym@gentoo.org>
+Posted: 2021-10-08
+Revision: 1
+News-Item-Format: 2.0
+Display-If-Installed: net-misc/openssh
+
+As of version 8.8, OpenSSH disables RSA signatures using the SHA-1
+hash algorithm by default. This change affects both the client and
+server components.
+
+After upgrading to this version, you may have trouble connecting to
+older SSH servers that do not support the newer RSA/SHA-256/SHA-512 +signatures. Support for these signatures was added in OpenSSH 7.2.
+
+As well, you may have trouble using older SSH clients to connect to a +server running OpenSSH 8.8 or higher. Some older clients do not +automatically utilize the newer hashes. For example, PuTTY before
+version 0.75 is affected.
+
+To resolve these problems, please upgrade your SSH client/server
+whereever possible. If this is not feasible, support for the SHA-1
+hashes may be re-enabled using the following config options:
+
+HostkeyAlgorithms +ssh-rsa
+PubkeyAcceptedAlgorithms +ssh-rsa

ship it!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)