OpenSSH Update: A Little Warning
Pat has started to push some updates in -current branch and while some of them are small updates such as file, sip and libjpeg-turbo, there's also quite a major improvements such as firefox 40 openssh 7.0.
Firefox 40 gave a lot of new features such as expanded malware protection, Improved scrolling, graphics, and video playback performance with off main thread compositing, and lots of new features for developers and users. See the release notes for more detailed information.
OpenSSH 7.0 is a major update compared to 6.9 and based on the release notes, it also introduce some incompatible changes such as:
They also gave early warning to users about future deprecations:
Firefox 40 gave a lot of new features such as expanded malware protection, Improved scrolling, graphics, and video playback performance with off main thread compositing, and lots of new features for developers and users. See the release notes for more detailed information.
OpenSSH 7.0 is a major update compared to 6.9 and based on the release notes, it also introduce some incompatible changes such as:
* Support for the legacy SSH version 1 protocol is disabled by
default at compile time.
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
is disabled by default at run-time. It may be re-enabled using
the instructions at http://www.openssh.com/legacy.html
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
by default at run-time. These may be re-enabled using the
instructions at http://www.openssh.com/legacy.html
* Support for the legacy v00 cert format has been removed.
* The default for the sshd_config(5) PermitRootLogin option has
changed from "yes" to "prohibit-password".
* PermitRootLogin=without-password/prohibit-password now bans all
interactive authentication methods, allowing only public-key,
hostbased and GSSAPI authentication (previously it permitted
keyboard-interactive and password-less authentication if those
were enabled).
They also gave early warning to users about future deprecations:
We plan on retiring more legacy cryptography in the next releaseIf you have been using SSH to securely connect to your machines remotely and the keys were generated in the past using a weak algorithm such as DSS, it would be wise to backup the .ssh directory and move it somewhere else and start generating your new key (RSA-based) and upload it to the server and update your key preferences or settings before attempting to upgrade your OpenSSH package. Failing to do so will block you to connect to the remote machine unless you have a normal password-based authentication. This will also affect for those who have been using git protocol to push or pull updates from and to git repository as they use ssh as the backend.
including:
* Refusing all RSA keys smaller than 1024 bits (the current minimum
is 768 bits)
* Several ciphers will be disabled by default: blowfish-cbc,
cast128-cbc, all arcfour variants and the rijndael-cbc aliases
for AES.
* MD5-based HMAC algorithms will be disabled by default.