Launchpad operates a few SSH endpoints:
git.launchpad.net for code hosting, and
ppa.launchpad.net for uploading packages. None of these are
straightforward OpenSSH servers, because they don’t give ordinary shell
access and they authenticate against users’ SSH keys recorded in Launchpad;
both of these are much easier to do with SSH server code that we can use in
library form as part of another service. We use
Twisted for several other tasks
where we need event-based networking code, and its
conch package is a good
fit for this.
Of course, this means that it’s important that conch keeps up to date with
the cryptographic state of the art in other SSH implementations, and this
hasn’t always been the case. OpenSSH 7.0 dropped support for some old
algorithms, including disabling the
diffie-hellman-group1-sha1 key exchange method at run-time.
Unfortunately, this also happened to be the only key exchange method that
Launchpad’s SSH endpoints supported (conch supported the slightly better
diffie-hellman-group-exchange-sha1 method as well, but that was disabled
in Launchpad due to a missing piece of configuration). SHA-2
support was clearly called for,
and the fact that we had to get this sorted out in conch first meant that
everything took a bit longer than we’d hoped.
we contributed support for several conch improvements:
Between them and with some adjustments to the
lazr.sshserver package we use
to glue all this together to add support for DH group exchange, these are
enough to allow us not to rely on SHA-1 at all, and these improvements have
now been rolled out to all four endpoints listed above. I’ve thus also
uploaded OpenSSH 7.1 packages to Debian unstable.
If you also run a Twisted-based SSH server, upgrade it now! Otherwise it
will be harder for users of recent
OpenSSH client versions to use your server, and for good reason.