OpenSSH – secure protocol to connect and manage remote servers – has announced dropping support for SHA-1 logins. The service has taken this decision considering the underlying insecurities in the scheme.
In a recent notice, OpenSSH has announced deprecating SHA-1 logins considering its ease of breach. OpenSSH believes that better alternatives to SHA-1 are available that ensure better security.
OpenSSH facilitates users in managing remote servers with security. The utility lets the users connect to the server via private keys. One of these is stored with the users’ OpenSSH Client, whereas the other is with the corresponding server. OpenSSH uses algorithms (like SHA-1) to generate these keys for the users.
However, citing a recently published white paper, OpenSSH quoted that SHA-1 has become vulnerable to attacks. Hence, they have decided to disable the “SSH-RSA” mode in future releases.
As stated in their notice,
Hence, OpenSSH has suggested some better alternatives to SHA-1. These include:
- RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512 that works on SHA-2 hash.
- ssh-ed25519 signature algorithm
- RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521
OpenSSH already supports these algorithms for several previous releases. Even the RFC8332 RSA SHA-2 is also available since OpenSSH 7.2.
Thus, with future releases, OpenSSH will disable SHA-1 by default. Whereas, it will enable the users to switch to better algorithms automatically.