Page MenuHomePhabricator
Create Task
Maniphest T311368

Deprecate use of ssh-rsa keys?
Closed, DuplicatePublicSecurity
Actions

Description

Noticed that I was having issues with an ssh-rsa key...

The RSA SHA-1 hash algorithm is being quickly deprecated across operating systems and SSH clients because of various security vulnerabilities, with many of these technologies now outright denying the use of this algorithm.
It seems this has happened for the ssh client in Ubuntu 22.04. The RSA public-private key pair is considered not safe any more.

I regenerated a new ssh-ed25519 for gerrit (and cloud stuff), and it works.

Pondering if we should more proactively be getting people to update use of old keys across the board

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Deutschland

Related Objects

Event Timeline

Reedy created this task.Jun 26 2022, 9:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 26 2022, 9:05 PM
Reedy added a project: SRE.Jun 26 2022, 9:05 PM

A quick look in the puppet repo in modules/admin/data/data.yaml shows 158 matches for ssh-rsa.

Lucas_Werkmeister_WMDE subscribed.EditedJun 27 2022, 8:12 AM

The ssh-rsa key exchange is deprecated, because it uses SHA-1. ssh-rsa keys are fine as long as they use a different key exchange algorithm, such as rsa-sha2-256 from RFC 8332, supported since OpenSSH 7.2. Also, I don’t think if YubiKeys support non-RSA keys; at least, I believe that’s why my own key is an RSA key.

sbassett assigned this task to Reedy.Jun 27 2022, 4:11 PM
sbassett subscribed.

Assigning to @Reedy for triage, during recent appsec clinic.

sbassett moved this task from Incoming to In Progress on the Security-Team board.Jun 27 2022, 4:11 PM
sbassett moved this task from In Progress to Back Orders on the Security-Team board.Jul 6 2022, 4:55 PM
MoritzMuehlenhoff subscribed.Sep 29 2022, 10:44 AM

This is a duplicate of the already public https://phabricator.wikimedia.org/T253824, so I think it can be closed/merged accordingly?

sbassett triaged this task as Medium priority.Sep 29 2022, 5:44 PM
sbassett closed this task as a duplicate of T253824: planned upstream deprecation of the ssh-rsa signing algorithm (RSA with SHA-1).
sbassett changed Author Affiliation from N/A to Wikimedia Deutschland.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Oct 17 2022, 4:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits