In the old FreeBSD.org cluster, we had an NFS shared /etc/ssh-keys/$you file that you could read/write. The NFS share is gone and the Source of Truth for the keys is now our LDAP server instead.
OpenSSH has deprecated old/weak/broken keys and protocols and the FreeBSD project tracked these changes. As a temporary grace period (where "temporary" was about one year), we relaxed the allowed protocols on the cluster to include the deprecated keys/protocols for certain systems. As was explained in your developers@ email, if you relied on old keys, you must update them. If you ignored the email, then .... You still have time to recover.
How does one update them?
Preferred:
ssh keymaster.freebsd.org and follow the instructions. This is the ONLY cluster system that still accepts the old keys/protocols.
- This allows you to do most simple updates yourself.
- Complex cases (eg: custom from= restrictions) will not work, see alternatives below.
- Wait at least 10 minutes for updates to propagate from ldap to sshd.
Use ssh keycheck.freebsd.org to confirm that you are not depending on legacy protocols or legacy keys.
Alternatives:
Send an email message to accounts@FreeBSD.org that:
is signed with the private key corresponding to the public key in the Handbook;
- has your new key(s) attached;
- clearly states your intent (e.g., whether this is a complete key replacement, a partial one, or an addition);
- contains a hash (sha256 or md5) of each key that you intended to send.
- Fallback: Put your new keys in a file (eg: ~/new-ssh-keys) on freefall, then send a message to accounts@ (as above, but without the attached key(s).
- In desperation: Do the same sort of routine that new committers do: identify a committer who is willing to send the keys, and who is willing to vouch that the keys do actually correspond to you.
- Please be clear - if you want an additional key added, rather than deleting your old ones, be sure to say so.
NOTE:
The ssh-dss key support is disabled by default on newer openssh (and FreeBSD) in both the client and the server
- To log in with a modern client you will need to enable dsa keys before it will even try.
- .. even if you specify a dsa key with -i explicitly. It just won't even try it.
To enable ssh-dss/DSA keys on the client: ssh -oHostKeyAlgorithms=+ssh-dss user@host
You may also require -oKexAlgorithms=+diffie-hellman-group1-sha1
use ssh -v to debug your connection attempts before calling for help.
The openssh legacy protocol documentation is here