[packages/openssh] allow dsa keys also client side, enable by default

Elan Ruusamäe glen at pld-linux.org
Tue Oct 6 10:08:15 CEST 2015

On 06.10.2015 10:57, Arkadiusz Miśkiewicz wrote:
> On Tuesday 06 of October 2015, glen wrote:
>> commit 0c97474bafebbdc86d13d41624a85cccc55c02e0
>> Author: Elan Ruusamäe <glen at delfi.ee>
>> Date:   Tue Oct 6 10:04:54 2015 +0300
>>      allow dsa keys also client side, enable by default
>>   openssh-config.patch | 6 ++++--
>>   openssh.spec         | 2 +-
>>   2 files changed, 5 insertions(+), 3 deletions(-)
> That change is harmful. With this change people won't notice that DSA is to be
> dropped, won't migrate from DSA keys and will end up with big problem when
> finally openssh team drops DSA support.
> Please revert it (at least revert on client side; server side could enable DSA
> keys for a while), so people WILL notice and will migrate to RSA/ECDSA keys.
shouldn't it be opposite?

a) allow in server
b) disable in client

then user will notice key does not work, but CAN do something about it 
clientside, log in with dsa key and add new rsa key there.
when server side disabled, user can't do anything without ssh server 
admin access. i'll assume here password auth is already off.


More information about the pld-devel-en mailing list