OpenSSH -- This Is Your 3 Week Warning
The 7.0 release of OpenSSH, due for release in late July, will deprecate several features, some of which may affect compatibility or existing configurations. The intended changes are as follows:
- The default for the sshd_config(5) PermitRootLogin option will change from „yes” to „no”.
- Support for the legacy version 1.x of the SSH protocol will be disabled at compile time by default.
- Support for the 1024-bit diffie-hellman-group1-sha1 key exchange will be run-time disabled by default.
- Support for ssh-dss, ssh-dss-cert-* host and user keys will be run-time disabled by default.
- Support for the legacy v00 cert format will be removed
- Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES
- Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits)
Please check the final release notes for OpenSSH 7.0 when it is released.