SMARTGIT CHANGE SSH KEY CODE
The hmac-sha1 message authentication code will be removed, as will all CBC ciphers ( aes256-cbc, aes192-cbc, and aes128-cbc). There are additional algorithms we’ll be removing for our SSH service. Keys with a valid_after date before the deadline (November 2, 2021) may continue to use SHA-1 signatures for the time being. SHA-1 is weak, so we’ll stop allowing new RSA client keys to use SHA-1 signatures and require them to use SHA-2 signatures instead. However, other clients only support the older SHA-1 signatures. Many SSH clients, including OpenSSH 7.2 and newer, support RSA with SHA-2 signatures (signature types rsa-sha2-256 and rsa-sha2-512), which are secure. RSA keys (you’ll see ssh-rsa in the public key) are stronger than DSA keys, but older Git clients may use them in combination with a dated signature algorithm that uses SHA-1. We’re also planning to remove support for our DSA host key. We feel confident that rejecting these keys altogether will increase security with little or no user friction. This is low (128-bit is fairly standard), and fewer than 0.3% of GitHub requests are still using DSA. Dropping old key typesĭSA keys offer only an 80-bit security level. What was considered secure in, say 2001, might no longer be acceptable today given changes in computing power, new attacks, and so on. “Fewer bits” generally means “easier to brute force,” and older algorithms have known attacks. Public key cryptography depends on secure algorithms and sufficiently strong keys to remain secure. These SSH changes, while unrelated on a technical level, are part of the same drive to keep GitHub’s customer data as secure as possible. We recently removed support for passwords over HTTPS. If you’re an SSH user, read on for the details and timeline. If your Git remotes start with nothing in this post will affect you. Only users connecting via SSH or git:// are affected.
Turning off the unencrypted Git protocol.Adding ECDSA and Ed25519 host keys for SSH.Removing some legacy SSH algorithms (HMAC-SHA-1 and CBC ciphers).Adding requirements for newly added RSA keys.We’re changing which keys are supported in SSH and removing unencrypted Git protocol. We expect very few people will notice these changes since we’re making them as seamless as possible, but still wanted to give plenty of notice. We’re making some changes to improve protocol security when you push or pull Git data. Hello from Git Systems, the team at GitHub that makes sure your source code is available and secure.
0 kommentar(er)
