Few days ago GitHub announced a number of changes to the service related to the tightening of the protocol Go, which is used during git push and git pull operations via SSH or the "git: //" scheme.
It is mentioned that requests via https: // will not be affected and once the changes take effect, at least version 7.2 of OpenSSH will be required (released in 2016) or version 0.75 from PuTTY (released in May of this year) to connect to GitHub via SSH.
For example, support for the SSH client of CentOS 6 and Ubuntu 14.04, which have already been discontinued, will be broken.
Hello from Git Systems, the GitHub team that makes sure your source code is available and secure. We are making some changes to improve the security of the protocol when you enter or extract data from Git. We hope that very few people will notice these changes, as we are implementing them as smoothly as possible, but we still want to give much advance notice.
Basically it is mentioned that changes boil down to discontinuing support for unencrypted Git calls through "git: //" and adjust the requirements for the SSH keys used when accessing GitHub, this in order to improve the security of connections made by users, since GitHub mentions that the way in which it was being carried out is already obsolete and unsafe.
GitHub will no longer support all DSA keys and legacy SSH algorithms, such as CBC ciphers (aes256-cbc, aes192-cbc aes128-cbc) and HMAC-SHA-1. Additionally, additional requirements are introduced for the new RSA keys (signing with SHA-1 will be prohibited) and support for the ECDSA and Ed25519 host keys is implemented.
What is changing?
We are changing which keys are SSH compliant and removing the unencrypted Git protocol. Specifically we are:Removing support for all DSA keys
Adding Requirements for Newly Added RSA Keys
Removal of some legacy SSH algorithms (HMAC-SHA-1 and CBC ciphers)
Add ECDSA and Ed25519 host keys for SSH
Disable unencrypted Git protocol
Only users connecting via SSH or git: // are affected. If your Git remotes start with https: // nothing in this post will affect it. If you are an SSH user, read on for the details and schedule.We recently stopped supporting passwords over HTTPS. These SSH changes, while technically unrelated, are part of the same drive to keep GitHub customer data as secure as possible.
Changes will be made gradually and the new host keys ECDSA and Ed25519 will be generated on September 14th. Support for RSA key signing using SHA-1 hash will be discontinued on November 2 (previously generated keys will continue to work).
On November 16, support for DSA-based host keys will be discontinued. On January 11, 2022, as an experiment, support for older SSH algorithms and the ability to access without encryption will be temporarily suspended. On March 15, support for legacy algorithms will be permanently disabled.
In addition, it is mentioned that it should be noted that the OpenSSH code base has been modified by default to disable RSA key signing using the SHA-1 hash ("ssh-rsa").
Support for SHA-256 and SHA-512 (rsa-sha2-256 / 512) hashed signatures remains unchanged. The end of support for "ssh-rsa" signatures is due to an increase in the effectiveness of collision attacks with a given prefix (the cost of guessing the collision is estimated at about $ 50).
To test the use of ssh-rsa on your systems, you can try connecting via ssh with the option "-oHostKeyAlgorithms = -ssh-rsa".
Finally sIf you are interested in knowing more about it about the changes that GitHub is making, you can check the details In the following link.