Date: Sun, 7 Aug 2016 15:52:27 +0300 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Andrey Chernov <ache@freebsd.org> Cc: Bruce Simpson <bms@fastmail.net>, Oliver Pinter <oliver.pinter@hardenedbsd.org>, svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Dag-Erling =?utf-8?B?U23DuHJncmF2?= <des@freebsd.org> Subject: Re: svn commit: r303716 - head/crypto/openssh Message-ID: <20160807125227.GC22212@zxy.spb.ru> In-Reply-To: <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org> References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <d419bddd-fe56-bc11-8965-142ca0b94ebc@fastmail.net> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> <CAPQ4fftQ30_aqU8V_ea-WEKBdMZs5H9Rwxnfa0crid_df049nQ@mail.gmail.com> <b99c06ac-82d6-ccda-419c-2ece5be4636f@fastmail.net> <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 07, 2016 at 03:25:54PM +0300, Andrey Chernov wrote: > On 07.08.2016 14:59, Bruce Simpson wrote: > > On 07/08/16 12:43, Oliver Pinter wrote: > >>> I was able to override this (somewhat unilateral, to my mind) > >>> deprecation of the DH key exchange by using this option: > >>> -oKexAlgorithms=+diffie-hellman-group1-sha1 > >> > >> You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too. > > > > Can this at least be added (commented out, if you really want to enforce > > this policy on users out-of-the-box) to the former file in FreeBSD > > itself? And a note added to UPDATING? > > > > Otherwise, it's almost as though those behind the change are assuming > > that users will just know exactly what to do in their operational > > situation. That's a good way to cause problems for folk using FreeBSD in > > IT operations. > > > > (systemd epitomises this kind of foot shooting.) > > > > I understand already - you want to deprecate a set of key exchanges, and > > believe in setting an example - but the rest of the world might not be > > ready for that just yet. > > > > You should address your complains to original openssh author instead, it > was his decision to get rid of weak algos. In my personal opinion, if > your hardware is outdated, just drop it out. Hardware outdated by outdated main function, not by outdated ssh upstream. > We can't turn our security > team into compatibility team, by constantly restoring removed code, such > code quickly becomes outdated and may add new security holes even being > inactive. What is security hole by present this ciphers in _client_?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160807125227.GC22212>