In the old FreeBSD.org cluster, we had an NFS shared /etc/ssh-keys/$you file that you could read/write. The NFS share is gone and the Source of Truth for the keys is now our LDAP server instead.
OpenSSH has deprecated old/weak/broken keys and protocols and the FreeBSD project tracked these changes. As a temporary grace period (where "temporary" was about one year), we relaxed the allowed protocols on the cluster to include the deprecated keys/protocols for certain systems. As was explained in your developers@ email, if you relied on old keys, you must update them. If you ignored the email, then .... You still have time to recover.
How does one update them?
ssh keymaster.freebsd.org and follow the instructions. This is the ONLY cluster system that still accepts the old keys/protocols.
- This allows you to do most simple updates yourself.
- Complex cases (eg: custom from= restrictions) will not work, see alternatives below.
- Wait at least 10 minutes for updates to propagate from ldap to sshd.
Use ssh keycheck.freebsd.org to confirm that you are not depending on legacy protocols or legacy keys.
Send an email message to accounts@FreeBSD.org that:
is signed with the private key corresponding to the public key in the Handbook;
- has your new key(s) attached;
- clearly states your intent (e.g., whether this is a complete key replacement, a partial one, or an addition);
- contains a hash (sha256 or md5) of each key that you intended to send.
- Fallback: Put your new keys in a file (eg: ~/new-ssh-keys) on freefall, then send a message to accounts@ (as above, but without the attached key(s).
- In desperation: Do the same sort of routine that new committers do: identify a committer who is willing to send the keys, and who is willing to vouch that the keys do actually correspond to you.
- Please be clear - if you want an additional key added, rather than deleting your old ones, be sure to say so.
The ssh-dss key support is disabled by default on newer openssh (and FreeBSD) in both the client and the server
- To log in with a modern client you will need to enable dsa keys before it will even try.
- .. even if you specify a dsa key with -i explicitly. It just won't even try it.
To enable ssh-dss/DSA keys on the client: ssh -oHostKeyAlgorithms=+ssh-dss user@host
You may also require -oKexAlgorithms=+diffie-hellman-group1-sha1
use ssh -v to debug your connection attempts before calling for help.
The openssh legacy protocol documentation is here