Improving Git protocol security on GitHub Enterprise Server

GitHub's Git Systems team is implementing security enhancements in GitHub Enterprise Server version 3.6, following similar updates on GitHub.com, by altering supported algorithms and keys for SSH and discontinuing the unencrypted Git protocol. Key changes include removing DSA key support, mandating RSA keys with SHA-2 for new uploads, disabling the HMAC-SHA-1 algorithm, and allowing Ed25519 host keys, while the unencrypted Git protocol will be off by default but can be re-enabled by administrators. These updates aim to maintain robust cryptographic security by moving away from outdated technologies susceptible to known attacks. The changes are mostly consistent with those on GitHub.com, but offer certain configurability for GitHub Enterprise Server administrators to cater to different operational needs. Users can ensure their readiness by utilizing tools like ghe-find-insecure-git-operations to identify insecure operations, and the transition should be smooth for those using recent SSH clients, with DSA client keys being rare and non-default for over a decade. GitHub is committed to ongoing security monitoring and will update the community as deprecated features naturally decline in usage.