How to update ssh keys?
Preferred:
ssh keymaster.freebsd.org and follow the instructions.
- This allows you to do most simple updates yourself.
- Complex cases (eg: custom from= restrictions) will not work, see alternatives below.
- Wait at least 10 minutes for updates to propagate from ldap to sshd.
Use ssh keycheck.freebsd.org to confirm that you are not depending on legacy protocols or legacy keys.
Alternatives:
Send an email message to accounts@FreeBSD.org that:
is signed with the private key corresponding to the public key in the document;
- has your new key(s) attached;
- clearly states your intent (e.g., whether this is a complete key replacement, a partial one, or an addition);
- contains a hash (sha256 or md5) of each key that you intended to send.
- Fallback: Put your new keys in a file (eg: ~/new-ssh-keys) on freefall, then send a message to accounts@ (as above, but without the attached key(s).
- In desperation: Do the same sort of routine that new committers do: identify a committer who is willing to send the keys, and who is willing to vouch that the keys do actually correspond to you.
- Please be clear - if you want an additional key added, rather than deleting your old ones, be sure to say so.
NOTE:
The ssh-dss key support is disabled by default on newer openssh (and FreeBSD) in both the client and the server.
- To log in with a modern client you will need to enable dsa keys before it will even try.
- ... even if you specify a dsa key with -i explicitly. It just won't even try it.
To enable ssh-dss/DSA keys on the client: ssh -oHostKeyAlgorithms=+ssh-dss user@host.
You may also require -oKexAlgorithms=+diffie-hellman-group1-sha1.
Use ssh -v to debug your connection attempts before calling for help.