Backlog Git-SSH enables new key exchange algorithms
Security is always our priority when it comes to your Backlog space. So to make our Git SSH connection more secure, we’re enabling a new public key type and several new key exchange algorithms. In addition, we’re disabling an old key exchange algorithm that no longer meets our security standards.
Key Changes in Backlog
Starting January 10th, 2018, our Git servers will:
- Support a new public key type and four new key exchange algorithms for SSH
- Disable the key exchange algorithm “diffie-hellman-group1-sha1”
New Public Key Type
After the update, you will be able to register an Elliptic Curve Digital Signature Algorithm (ECDSA) public key as your SSH public key on Backlog. You can also continue to use all your SSH public keys that you have already registered.
| Public Key Type | At Present | After Update |
|---|---|---|
| DSA (ssh-dss) | X | X |
| RSA (ssh-rsa) | X | X |
| ECDSA (ecdsa-sha2-nistp256) | X | |
| ECDSA (ecdsa-sha2-nistp384) | X | |
| ECDSA (ecdsa-sha2-nistp521) | X |
New Key Exchange Algorithms
After the update, we will support four new key exchange algorithms that are more secure than existing ones. Plus, we will disable the key exchange algorithm “diffie-hellman-group-sha1”.
If your client supports one or more of the following new algorithms, the client will automatically start to use them. However, if your client is set to use “diffie-hellman-group-sha1” or doesn’t support the new algorithms, the client will not connect to our Git servers.
| Key Exchange Algorithm | At Present | After Update |
|---|---|---|
| diffie-hellman-group1-sha1 | X | |
| diffie-hellman-group14-sha1 | X | X |
| diffie-hellman-group-exchange-sha256 | X | |
| ecdh-sha2-nistp256 | X | |
| ecdh-sha2-nistp384 | X | |
| ecdh-sha2-nistp521 | X |
How to check your client settings
Please check your client settings and its user manual about key exchange algorithms for SSH. If your client does not support the above new key exchange algorithms, please upgrade the client to the latest version. If your client is set to use diffie-hellman-group1-sha1, please change your client setting.
Example: git command
git command uses OpenSSH for its SSH connection. If the following line is in your OpenSSH configuration file (ex. ~/.ssh/config.), your client uses diffie-hellman-group1-sha1 only.
KexAlgorithms diffie-hellman-group1-sha1
You can remove this line or add + just before diffie-hellman-group1-sha1 as follows:
KexAlgorithms +diffie-hellman-group1-sha1
Note: OpenSSH 7.0 disabled diffie-hellman-group1-sha1 by default in August 2015, but Backlog didn’t support other key exchange algorithms for SSH until December 2015. Therefore, clients used during the period from August 2015 to December 2015 might be set to use diffie-hellman-group1-sha1 only.
Update Plan
This update will happen across all Backlog spaces starting January 10, 2018. We will notify you of all maintenance information on your Backlog Dashboard.