• clusteradm
• ssh-keys

In the old FreeBSD.org cluster, we had an NFS shared /etc/ssh-keys/$you file that you could read/write. The NFS share is gone and the Source of Truth for the keys is now our LDAP server instead.

OpenSSH has deprecated old/weak/broken keys and protocols and the FreeBSD project tracked these changes. As a temporary grace period (where "temporary" was about one year), we relaxed the allowed protocols on the cluster to include the deprecated keys/protocols for certain systems. As was explained in your developers@ email, if you relied on old keys, you must update them. If you ignored the email, then .... You still have time to recover.

How does one update them?

Preferred:

• ssh keymaster.freebsd.org and follow the instructions. This is the ONLY cluster system that still accepts the old keys/protocols.

  • This allows you to do most simple updates yourself.
  • Complex cases (eg: custom from= restrictions) will not work, see alternatives below.
  • Wait at least 10 minutes for updates to propagate from ldap to sshd.

  • Use ssh keycheck.freebsd.org to confirm that you are not depending on legacy protocols or legacy keys.

Alternatives:

• Send an email message to accounts@FreeBSD.org that:

  • is signed with the private key corresponding to the public key in the Handbook;

  • has your new key(s) attached;
  • clearly states your intent (e.g., whether this is a complete key replacement, a partial one, or an addition);
  • contains a hash (sha256 or md5) of each key that you intended to send.
• Fallback: Put your new keys in a file (eg: ~/new-ssh-keys) on freefall, then send a message to accounts@ (as above, but without the attached key(s).
• In desperation: Do the same sort of routine that new committers do: identify a committer who is willing to send the keys, and who is willing to vouch that the keys do actually correspond to you.
• Please be clear - if you want an additional key added, rather than deleting your old ones, be sure to say so.

NOTE:

• The ssh-dss key support is disabled by default on newer openssh (and FreeBSD) in both the client and the server

• To log in with a modern client you will need to enable dsa keys before it will even try.
• .. even if you specify a dsa key with -i explicitly. It just won't even try it.

• To enable ssh-dss/DSA keys on the client: ssh -oHostKeyAlgorithms=+ssh-dss user@host

• You may also require -oKexAlgorithms=+diffie-hellman-group1-sha1

• use ssh -v to debug your connection attempts before calling for help.

• The openssh legacy protocol documentation is here