OpenSSH, a remote control software, has announced guidelines to discontinue support for DSA (Digital Signature Algorithm) login keys. DSA keys have been used by OpenSSH since its inception in 1999, or 24 years ago. The entire code will be removed by early 2025.
DSA was disabled by default in OpenSSH 7.0, released in 2015. In March, OpenSSH will add a compile time option for distributions to choose a version without DSA code. By mid-2021, this option will be set as the default. Finally, in the first version of 2025, this code will be completely removed.
DSA is a public/private key digital signature process that has been a NIST standard since 1991. It was designed by NSA with a key size of 160 bits. However, due to the use of SHA1 hashing, the overall strength is less than 80 bits, making it susceptible to key forgery.
OpenSSH has defaulted to creating RSA keys for a long time and recently changed the default to Ed25519. Removing this code is unlikely to impact many users, except for those with very old servers.
TLDR: OpenSSH announces the phased removal of support for DSA keys, with the complete removal scheduled for the first version of 2025. This change is expected to have minimal impact on most users.
Leave a Comment