Backlog Git-SSH enables new key exchange algorithms

Security is always our priority when it comes to your Backlog space. So to make our Git SSH connection more secure, we’re enabling a new public key type and several new key exchange algorithms. In addition, we’re disabling an old key exchange algorithm that no longer meets our security standards.

Key Changes in Backlog

Starting January 10th, 2018, our Git servers will:

  • Support a new public key type and four new key exchange algorithms for SSH
  • Disable the key exchange algorithm “diffie-hellman-group1-sha1”

New Public Key Type

After the update, you will be able to register an Elliptic Curve Digital Signature Algorithm (ECDSA) public key as your SSH public key on Backlog. You can also continue to use all your SSH public keys that you have already registered.

Public Key Type At Present After Update
DSA (ssh-dss) X X
RSA (ssh-rsa) X X
ECDSA (ecdsa-sha2-nistp256)   X
ECDSA (ecdsa-sha2-nistp384)   X
ECDSA (ecdsa-sha2-nistp521)   X

New Key Exchange Algorithms

After the update, we will support four new key exchange algorithms that are more secure than existing ones. Plus, we will disable the key exchange algorithm “diffie-hellman-group-sha1”.

If your client supports one or more of the following new algorithms, the client will automatically start to use them. However, if your client is set to use “diffie-hellman-group-sha1” or doesn’t support the new algorithms, the client will not connect to our Git servers.

Key Exchange Algorithm At Present After Update
diffie-hellman-group1-sha1 X  
diffie-hellman-group14-sha1 X X
diffie-hellman-group-exchange-sha256   X
ecdh-sha2-nistp256   X
ecdh-sha2-nistp384   X
ecdh-sha2-nistp521   X

How to check your client settings

Please check your client settings and its user manual about key exchange algorithms for SSH. If your client does not support the above new key exchange algorithms, please upgrade the client to the latest version. If your client is set to use diffie-hellman-group1-sha1, please change your client setting.

Example: git command

git command uses OpenSSH for its SSH connection. If the following line is in your OpenSSH configuration file (ex. ~/.ssh/config.), your client uses diffie-hellman-group1-sha1 only.

KexAlgorithms diffie-hellman-group1-sha1

You can remove this line or add + just before diffie-hellman-group1-sha1 as follows:

KexAlgorithms +diffie-hellman-group1-sha1

Note: OpenSSH 7.0 disabled diffie-hellman-group1-sha1 by default in August 2015, but Backlog didn’t support other key exchange algorithms for SSH until December 2015. Therefore, clients used during the period from August 2015 to December 2015 might be set to use diffie-hellman-group1-sha1 only.

Update Plan

This update will happen across all Backlog spaces starting January 10, 2018. We will notify you of all maintenance information on your Backlog Dashboard.

Gain skills, learn strategies, move projects forward

Collaborate and bring your projects to life with Nulab

Learn more