<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/data/templates/ssh/motd_ssh_dsa_warning.j2, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2025-09-17T19:49:34+00:00</updated>
<entry>
<title>ssh: T7839: add deprecation warning for DSA hostkey-algorithm usage</title>
<updated>2025-09-17T19:49:34+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-09-17T19:49:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=6deda171e8b5f5a65101436399bdbb308179e076'/>
<id>urn:sha1:6deda171e8b5f5a65101436399bdbb308179e076</id>
<content type='text'>
OpenSSH in Debian Trixie has removed support for ssh-dss (DSA) keys, which will
prevent users with such keys from logging in after upgrade. To avoid lockouts,
add a loud deprecation warning when users log in using a DSA key. This warning
advises affected users to replace their keys with a supported algorithm (e.g.,
ed25519 or RSA) before the upgrade.

Deprecation warning will be displayed during "commit" but also as MOTD to inform
on this issue during every login.

    DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will
    be removed in VyOS 1.6. Please update affected keys to a supported
    algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication
    failures after the upgrade. The following hostkey-algorithms are in
    use: ssh-dss, ssh-dss-cert-v01@openssh.com
</content>
</entry>
</feed>
