Skip to content

Document how to enable DSA and our stands on it

Background

We don't really support ssh DSA keys because:

  • OpenSSH 7.0+ drops the default support for it

    OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use. It can be re-enabled using the HostKeyAlgorithms configuration option:

  • We do not bundle OpenSSH nor do we provide sshd configuration in our Omnibus package. So this is out of our control with Omnibus package.

  • We do provide a sshd config in our all in one docker image. However it's using ubuntu:16.04 which is using OpenSSH 7.2, and our sshd config doesn't enable DSA, meaning that it doesn't support DSA out of the box.

What we could do

  • Document how to enable ssh DSA keys with OpenSSH 7.0+ (it would be supported with OpenSSH 7.0- by default)
  • State that it's unsafe to use it and we don't support it out of the box