Support for SHA-2 in the Latest Releases Support for SHA-2 in the Latest Releases

Support for SHA-2 in the Latest Releases

Eugene Oskin Eugene Oskin

Recent versions of Termius support the SHA-2 algorithm, a secure alternative to SHA-1.

The SHA-1 algorithm can't be considered secure: since 2020, it's possible to perform chosen-prefix attacks against SHA-1 for less than USD$50K. It is why SHA-1 will be deprecated in one of the next versions of OpenSSH.

OpenSSH added support for SHA-2 in 2016 in OpenSSH 7.2, and since then SHA-2 has been used by default. As of now, SHA-1 is used when the client doesn't support SHA-2 or when SHA-2 is enforced, which can be done like so:

  • For OpenSSH version 8.5 and newer
    AuthenticationMethods publickey
    PubkeyAcceptedAlgorithms rsa-sha2-512,rsa-sha2-256
  • For OpenSSH version prior 8.5
    AuthenticationMethods publickey
    PubkeyAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256

Termius supports SHA-2 (rsa-sha2-256/512) starting from:

  • Termius for the desktop 7.12.0,
  • Termius for iOS 4.8.3,
  • Termius for Android 5.3.1.

The following algorithms are also good alternatives to SHA-1: ssh-ed25519, ecdsa-sha2-nistp256/384/521.

To stay secure and protect your server infrastructure, we recommend updating your OpenSSH servers and Termius apps or using ed25519 or ecdsa keys for authentication.

Add comment

Please sign in to leave a comment.