Recent versions of Termius support the SHA-2 algorithm, a secure alternative to SHA-1.
The SHA-1 algorithm can't be considered secure: since 2020, it's possible to perform chosen-prefix attacks against SHA-1 for less than USD$50K. It is why SHA-1 will be deprecated in one of the next versions of OpenSSH.
OpenSSH added support for SHA-2 in 2016 in OpenSSH 7.2, and since then SHA-2 has been used by default. As of now, SHA-1 is used when the client doesn't support SHA-2 or when SHA-2 is enforced, which can be done like so:
- For OpenSSH version 8.5 and newer
AuthenticationMethods publickey PubkeyAcceptedAlgorithms rsa-sha2-512,rsa-sha2-256
- For OpenSSH version prior 8.5
AuthenticationMethods publickey PubkeyAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256
Termius supports SHA-2 (rsa-sha2-256/512) starting from:
- Termius for the desktop 7.12.0,
- Termius for iOS 4.8.3,
- Termius for Android 5.3.1.
The following algorithms are also good alternatives to SHA-1: ssh-ed25519, ecdsa-sha2-nistp256/384/521.
To stay secure and protect your server infrastructure, we recommend updating your OpenSSH servers and Termius apps or using ed25519 or ecdsa keys for authentication.
Please sign in to leave a comment.