Date: Sun, 7 Aug 2016 18:37:29 +0100 From: Bruce Simpson <bms@fastmail.net> To: Andrey Chernov <ache@freebsd.org>, Warner Losh <wlosh@bsdimp.com> Cc: Slawa Olhovchenkov <slw@zxy.spb.ru>, Oliver Pinter <oliver.pinter@hardenedbsd.org>, svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@freebsd.org> Subject: Re: svn commit: r303716 - head/crypto/openssh Message-ID: <950021bd-a6d3-7b6d-73fb-74fd9900b306@fastmail.net> In-Reply-To: <0740b662-4a36-f834-229a-d16a5a6dde14@freebsd.org> References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <d419bddd-fe56-bc11-8965-142ca0b94ebc@fastmail.net> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> <CAPQ4fftQ30_aqU8V_ea-WEKBdMZs5H9Rwxnfa0crid_df049nQ@mail.gmail.com> <b99c06ac-82d6-ccda-419c-2ece5be4636f@fastmail.net> <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org> <20160807125227.GC22212@zxy.spb.ru> <7237f5e6-fd65-a7e5-7751-4ed1c464b39a@freebsd.org> <4D28752C-0584-4294-9250-FA88B0C6E805@bsdimp.com> <c54673d0-8edd-b185-c86e-95a6aa6d0846@fastmail.net> <32b82f9f-7f78-6358-030a-90aed54bb8a8@freebsd.org> <0740b662-4a36-f834-229a-d16a5a6dde14@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/08/16 18:34, Andrey Chernov wrote: >>> Alcatel-Lucent OmniSwitch 6800 login broken (pfSense 2.3.2 which >>> accepted the upstream change, workaround no-go) >>> >>> [2.3.2-RELEASE][root@gw.lab]/root: ssh -l admin >>> -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.XXX >>> Fssh_ssh_dispatch_run_fatal: Connection to 192.168.1.XXX port 22: DH GEX >>> group out of range >> DH prime size must be at least 2048, openssh now refuse lower values. >> Commonly used DH size 1024 can be easily broken. See https://weakdh.org >> > diffie-hellman-group1-sha1 use DH 1024 and insecure sha1 both. > I appreciate that, but what do I as a user do about it? My distribution has changed behaviour I rely on in an operational setting. My initial reaction is likely to be one of confusion, and general dismay. I appreciate that this is done for security reasons, but it could take an arbitrarily long time for a lot of deployed hardware in current use to be updated. (On the other hand, the introduction of, say ED25519 has been more gradual, and has tended to see uptake in e.g. Linux-based ARM products.)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?950021bd-a6d3-7b6d-73fb-74fd9900b306>