touch-packages team mailing list archive

Thread
Date

[Bug 1445624] Re: Change SSH defaults to non-SHA-1 by 16.04

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Seth Arnold <1445624@xxxxxxxxxxxxxxxxxx>
Date: Fri, 17 Apr 2015 19:17:44 -0000
Reply-to: Bug 1445624 <1445624@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

While this might initially seem like prematurely early to end support
for SHA-1, it's the tail end of 16.04 LTS's support window that worries
me -- I suspect SHA-1 will feel less safe by 2021, but removing support
for it in an LTS release feels like the wrong approach.

We may also wish to consider what the server accepts and what the client
accepts separately if there's some class of devices that force using
SHA-1 in the meantime.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1445624

Title:
  Change SSH defaults to non-SHA-1 by 16.04

Status in openssh package in Ubuntu:
  Confirmed

Bug description:
  For Security reasons, the Ubuntu Distro should change SSH defaults to
  use non-SHA-1 by 16.04.  That is, to default to SHA2 and, ideally, not
  permit SHA1.  This may break bzr+ssh on LP if done before
  https://bugs.launchpad.net/launchpad/+bug/1445619

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1445624/+subscriptions

References

[Bug 1445624] [NEW] Change SSH defaults to non-SHA-1 by 16.04
From: Joey Stanford, 2015-04-17