SSH SHA-2 support in Twisted

diff --git a/content/ssh-sha-2-support-in-twisted.md b/content/ssh-sha-2-support-in-twisted.md
new file mode 100644 (file)
index 0000000..d00d03a
--- /dev/null
+++ b/content/ssh-sha-2-support-in-twisted.md
@@ -0,0 +1,53 @@
+Title: SSH SHA-2 support in Twisted
+Slug: ssh-sha-2-support-in-twisted
+Date: 2015-12-02 20:42:25 +0000
+Category: launchpad
+Tags: launchpad, openssh, planet-debian, planet-ubuntu
+
+Launchpad operates a few SSH endpoints: `bazaar.launchpad.net` and
+`git.launchpad.net` for code hosting, and `upload.ubuntu.com` and
+`ppa.launchpad.net` for uploading packages.  None of these are
+straightforward OpenSSH servers, because they don't give ordinary shell
+access and they authenticate against users' SSH keys recorded in Launchpad;
+both of these are much easier to do with SSH server code that we can use in
+library form as part of another service.  We use
+[Twisted](https://pypi.python.org/pypi/Twisted) for several other tasks
+where we need event-based networking code, and its
+[conch](https://twistedmatrix.com/trac/wiki/TwistedConch) package is a good
+fit for this.
+
+Of course, this means that it's important that conch keeps up to date with
+the cryptographic state of the art in other SSH implementations, and this
+hasn't always been the case.  OpenSSH 7.0 [dropped support for some old
+algorithms](http://www.openssh.com/txt/release-7.0), including disabling the
+1024-bit `diffie-hellman-group1-sha1` key exchange method at run-time.
+Unfortunately, this also happened to be the only key exchange method that
+Launchpad's SSH endpoints supported (conch supported the slightly better
+`diffie-hellman-group-exchange-sha1` method as well, but that was disabled
+in Launchpad due to a missing piece of configuration).  [SHA-2
+support](https://bugs.launchpad.net/bugs/1445619) was clearly called for,
+and the fact that we had to get this sorted out in conch first meant that
+everything took a bit longer than we'd hoped.
+
+In [Twisted
+15.5](https://twistedmatrix.com/pipermail/twisted-python/2015-November/029993.html),
+we contributed support for several conch improvements:
+
+ * [diffie-hellman-group14-sha1 key
+   exchange](https://twistedmatrix.com/trac/ticket/7717) (mostly by Ian
+   Moore, finished off by me)
+ * [diffie-hellman-group-exchange-sha256 key
+   exchange](https://twistedmatrix.com/trac/ticket/7672)
+ * [hmac-sha2-256 and hmac-sha2-512
+   MACs](https://twistedmatrix.com/trac/ticket/8108)
+
+Between them and with some adjustments to the
+[lazr.sshserver](https://pypi.python.org/pypi/lazr.sshserver) package we use
+to glue all this together to add support for DH group exchange, these are
+enough to allow us not to rely on SHA-1 at all, and these improvements have
+now been rolled out to all four endpoints listed above.  I've thus also
+uploaded OpenSSH 7.1 packages to Debian unstable.
+
+If you also run a Twisted-based SSH server, upgrade it now!  Otherwise it
+will be [harder](http://www.openssh.com/legacy.html) for users of recent
+OpenSSH client versions to use your server, and for good reason.