OpenSSH Announces Plan to Phase Out DSA Keys

OpenSSH will disable DSA keys by default starting June 2024, with a complete removal slated for 2025.

In a move aimed at bolstering digital security, OpenSSH has announced its plan to phase out support for DSA keys, a decision informed by the algorithm’s inherent weaknesses and the evolution of more secure alternatives. But first, let’s shed more light on what DSA is for our readers.

DSA and Its Limitations

DSA, which stands for Digital Signature Algorithm, is a cryptographic algorithm for digital signatures and authentication and a key component in the SSHv2 protocol. However, its limitations have long been recognized, particularly its restriction to a 160-bit private key and reliance on the SHA1 digest.

DSA SSH keys' generation.

These constraints render its security level equivalent to less than or equal to 80 bits in symmetric encryption, a standard considered insufficient in the current cybersecurity landscape.

Despite being the only mandatory-to-implement algorithm in the SSHv2 RFCs, mainly due to patent encumbrances on alternative algorithms when SSHv2 was developed, DSA has fallen behind more robust options like RSA, ECDSA, and EdDSA in terms of security and performance.

OpenSSH’s Timeline for DSA Removal

Of course, this will not happen overnight. Instead, OpenSSH has outlined a phased approach. Here’s what’s the plan.

  • March 2024 (Estimated): DSA will become optional at compile-time but enabled by default in the next OpenSSH release. This change allows users and distributors to assess the impact of DSA’s removal in their specific environments.
  • June 2024 (Estimated): A subsequent release will change the compile-time default to disable DSA. However, it will remain an option for those who require it.
  • Post-January 2025: The first release after January 1, 2025, will see the complete removal of DSA code from OpenSSH.

For users with devices that only support DSA, OpenSSH recommends maintaining a legacy release of the OpenSSH client, akin to the strategy adopted when SSHv1 protocol support was discontinued.

Further discussions and inquiries about the DSA removal can be directed to the OpenSSH development mailing list or by contacting the developers directly.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

2 / 10

Who is the Ubuntu's founder?

3 / 10

What year was the first official Ubuntu release?

4 / 10

What does the Ubuntu logo symbolize?

5 / 10

What package format does Ubuntu use for installing software?

6 / 10

When are Ubuntu's LTS versions released?

7 / 10

What is Unity?

8 / 10

What are Ubuntu versions named after?

9 / 10

What's Ubuntu Core?

10 / 10

Which Ubuntu version is Snap introduced?

The average score is 68%