$ for keyfile in ~/.ssh/id_* do ssh-keygen -l -f "$" done | uniq You wouldn't want this type of key to unlock your front door, right? Really, it's unwise to follow instructions to change the configuration for PubkeyAcceptedKeyTypes or HostKeyAlgorithms (host keys are for a later post).Ĭompare DSA with the technology of locks using keys like this one. The sad thing about it is that I see posts on how to re-enable DSA key support rather than moving to a more secure type of key. It's plainly insecure and refused for valid reasons in recent OpenSSH versions (see also the changelog for 7.0). That's a key type similar to RSA, but limited to 1024 bits size and therefore recommended against for a long time.
If you've created your key using software released before 2013 with the default options it's probably insecure (RSA < 2048 bits).Įven worse, I've seen tweeps, colleagues and friends still using DSA keys ( ssh-dss in OpenSSH format) recently.
Generate any new key with ssh-keygen -o -a 100 -t ed25519, specify a strong passphrase and read further if you need a smooth transition.