OpenSSH to deprecate SHA-1 logins due to security risk

Breaking a SHA-1-generated SSH authentication key now costs roughly $50,000, putting high-profile remote servers at risk of attacks.

OpenSSH SSH

OpenSSH, the most popular utility for connecting to and managing remote servers, has announced today plans to drop support for its SHA-1 authentication scheme.

The OpenSSH team cited security concerns with the SHA-1 hashing algorithm, currently considered insecure.

The algorithm was broken in a practical, real-world attack in February 2017, when Google cryptographers disclosed SHAttered, a technique that could make two different files appear as they had the same SHA-1 file signature.

At the time, creating an SHA-1 collision was considered computationally expensive, and Google experts thought SHA-1 could still be used in practice for at least half a decade until the cost would go down.

However, subsequent research released in May 2019 and in January 2020, detailed an updated methodology to cut down the cost of an SHA-1 chosen-prefix collision attack to under $110,000 and under $50,000, respectively.

For advanced threat actors, such as nation-state and high-end cybercrime groups, $50,000 is a small price to pay if they could generate an SSH authentication key that grants them remote and undetected access to critical servers.

OpenSSH to disable "ssh-rsa" mode

"For this reason, we will be disabling the 'ssh-rsa' public key signature algorithm by default in a near-future release," OpenSSH developers said today.

The OpenSSH app uses the "ssh-rsa" mode to generate SSH authentication keys. One of these keys is stored on the server a user wants to log in, and the other is stored in the user's local OpenSSH client, allowing users to access servers without having to enter their passwords on every login, presenting the local authentication key instead.

By default, the OpenSSH ssh-rsa mode generates these keys by using the SHA-1 hashing function, meaning these keys are susceptible to SHAterred attacks, allowing threat actors to generate duplicate keys.

"This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs," OpenSSH devs said today.

The OpenSSH team is now asking server owners to check if their keys have been generated with the default ssh-rsa mode, and generate new ones using a different mode.

Recommended modes are rsa-sha2-256/512 (supported since OpenSSH 7.2), ssh-ed25519 (supported since OpenSSH 6.5) or ecdsa-sha2-nistp256/384/521 (supported since OpenSSH 5.7), the OpenSSH team said.

The OpenSSH project will by disabling the ssh-rsa mode by default in a future (currently unspecified) release, however, before that, they also plan to enable the UpdateHostKeys feature by default, to allow server owners to easily and automatically migrate from the old ssh-rsa mode to better authentication algorithms.

Server owners who rely on OpenSSH to manage remote systems can find additional details on how to test their server for weak SHA-1-based keys in the OpenSSH 8.3 changelog.

In a previous release, in version 8.2, the OpenSSH team also added support for FIDO/U2F-based hardware security keys, which can also be used to log into remote servers in even a safer manner.