From owner-svn-src-head@freebsd.org Sun Aug 7 11:40:44 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49D85BAE95C; Sun, 7 Aug 2016 11:40:44 +0000 (UTC) (envelope-from bms@fastmail.net) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 212481C9E; Sun, 7 Aug 2016 11:40:43 +0000 (UTC) (envelope-from bms@fastmail.net) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id BCE29202C1; Sun, 7 Aug 2016 07:40:42 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute2.internal (MEProxy); Sun, 07 Aug 2016 07:40:42 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.net; h= content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=Xt9bKD9wjXwPdwYvyS900wt6Wv8=; b=UwLLP5 /+P8zW6omsolZzRQbD3MkjtHF8UHLAJj6ex66paWCUSdseBiGdVMwpnLbH2ojqef Civp3WEqTNO3vKrCztSJ6A2D6rPxRh+rharseYc9ZvvoW9OayvZyNOZ/e0eAhHCk HMB5kwTouReJHwg9mdc+3qhZkMx9CTggKqdsc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=Xt9bKD9wjXwPdwY vyS900wt6Wv8=; b=pQlIylqVwuG39/sxZmz9fwpKbtgBlBhHh72YH3uP+70minB 0pJq1OsHdWjcfyJQxJltaulMz7yWCynM6Vy2CRphYWjQ/KHzBjaJf+7L/GCo1ccY N4RPJr9QuT5+vUZY1ox9BOxKxhXA/C4emTirDF7ALPQcV/h4iSIGxr5mNkO8= X-Sasl-enc: /DbiMTYnPffmku0XEqGYWw28YqV2YeoGtk7jTCgX38TK 1470570042 Received: from pion.local (5751ac42.skybroadband.com [87.81.172.66]) by mail.messagingengine.com (Postfix) with ESMTPA id CD1A9F296E; Sun, 7 Aug 2016 07:40:41 -0400 (EDT) Subject: Re: svn commit: r303716 - head/crypto/openssh To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org References: <201608031608.u73G8Mjq055909@repo.freebsd.org> From: Bruce Simpson Message-ID: <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> Date: Sun, 7 Aug 2016 12:40:38 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2016 11:40:44 -0000 On 07/08/16 11:58, Bruce Simpson wrote: > Is there a way to revert this change, at least on an ongoing operational > basis (e.g. configuration file) for those of us who use FreeBSD to > connect directly to such devices? I was able to override this (somewhat unilateral, to my mind) deprecation of the DH key exchange by using this option: -oKexAlgorithms=+diffie-hellman-group1-sha1 Obviously that is too much of a mouthful for day-to-day operational memory. I shudder to think how a novice SSH user, who is otherwise competent with network switches, is going to cope with this confusion. OK, so deprecating the (unwanted/vulnerable/obsolete for whatever other reason) cipher suite is an ideologically sound move, but the road to hell is paved with good intentions. But surely the operational implications of this on people who use SSH on a daily basis could have been better thought out, given many of these devices cannot just magically be updated to stop using DH? As I've said this may not affect just Netonix devices, but a wide range of network devices which -- let's be frank -- be grateful they even have a basic SSH implementation. I'm staring at $VENDOR_A and $VENDOR_H. Strikes me as foot shooting. Just my 2c. Please, at least add a central knob for overriding this. pfSense took the change too. I couldn't log in to our local Netonix this morning (without booting up a Linux laptop), which violated POLA horribly for me.