Last I checked, GitHub still refused to update their SSH key generation documentation to include instructions on using the "new" openssh key format, leaving users with insecure private keys.
The argument for why, according to every vendor I've reported this to, is their users are stupid and will get confused by the strange new detail that if their key is copied to a server that hasn't been upgraded in 8 years, that server might not be able to read the private key [locally]. It is much easier to just use the insecure defaults. For an SSH key.
That's a bit of a stretch (pun intended). The release page clearly says "Security updates have been discontinued as of July 6th, 2020" and that updates are only available through long time support.
That said, according to packages.debian.org it ships with OpenSSH 7.4 and support for sha2 have been included since 7.2. And ed25519 has been included since 6.5, so you should be fine.
> That's a bit of a stretch (pun intended). The release page clearly says "Security updates have been discontinued as of July 6th, 2020" and that updates are only available through long time support.
Yeah, but LTS is still support :P
> That said, according to packages.debian.org it ships with OpenSSH 7.4 and support for sha2 have been included since 7.2. And ed25519 has been included since 6.5, so you should be fine.
You'd think that, but Debian do their own thing. I don't recall the exact versions, but the Include directive for sshd_config should be present in the version shipped in Debian 9, but isn't[0]. I can't find the exact listing, but for instance you can see that `ssh-keygen` in Debian 9, of version 7.4, doesn't support rsa-sha2[1]; it does support `ed25519` however.
The argument for why, according to every vendor I've reported this to, is their users are stupid and will get confused by the strange new detail that if their key is copied to a server that hasn't been upgraded in 8 years, that server might not be able to read the private key [locally]. It is much easier to just use the insecure defaults. For an SSH key.